Cobalt Strike and Metasploit accounted for a quarter of all malware C&C servers in 2020

Security firm Recorded Future said it tracked more than 10,000 malware command and control servers last year, used across more than 80 malware families.
Written by Catalin Cimpanu, Contributor

Cobalt Strike and Metasploit, two penetration testing toolkits usually employed by security researchers, have been used to host more than a quarter of all the malware command and control (C&C) servers that have been deployed in 2020, threat intelligence firm Recorded Future said in a report today.

The security firm said it tracked more than 10,000 malware C&C servers last year, across more than 80 malware strains.

The malware operations were the work of both state-sponsored and financially-motivated hacking groups.

These groups deployed malware using various methods. If the malware managed to infect victim devices, it would report back to a command and control server from where it would request new commands or upload stolen information.

Under the hood, these C&C servers can be custom-built for a specific malware family, or they can use well-known technologies, either closed or open-sourced projects.

Across the years, the infosec industry has noted a rising trend in the use of open source security tools as part of malware operations, and especially the increased usage of "offensive security tools," also known as OST, red-team tools, or penetration testing toolkits.

The most complex of these tools work by simulating an attacker's actions, including the ability to host a malware C&C in order to test if a company's defenses can detect web traffic from infected hosts to the "fake" malware C&C server.

But malware operators also quickly realized that they could also adopt these "good guy" tools as their own and then hide real malware traffic inside what companies and security firms might label as a routine "penetration test."

According to Recorded Future, two of these penetration testing toolkits have now become the top two most widely used technologies for hosting malware C&C servers — namely Cobalt Strike (13.5% of all 2020 malware C&C servers) and Metasploit (with 10.5%).

The first is Cobalt Strike, a closed-source "adversary emulation" toolkit that malware authors cracked and abused for years, spotted on 1,441 servers last year.

The second is Metasploit, an open source penetration testing toolkit developed by security firm Rapid7, which was similarly widely adopted by malware authors due to the fact that it has constantly received updates across the years.

Third on the list of most popular malware C&C servers was PupyRAT, a remote administration trojan. While not a security tool, PupyRAT ranked third because its codebase has been open-sourced on GitHub in 2018, leading to a rise in adoption among cybercrime operations.

Image: Recorded Future

However, besides Cobalt Strike and Metasploit, many other offensive security tools have also been abused by malware operations as well, although to a lesser degree.

Even so, the groups who abused these tools included many state-sponsored hacking groups engaged in cyber-espionage operations, Recorded Future said.

Image: Recorded Future

But the Recorded Future report also looked at other facets of a malware C&C server's operations. Other observations include:

  • On average, command and control servers had a lifespan (that is, the amount of time the server hosted the malicious infrastructure) of 54.8 days.
  • Monitoring only "suspicious" hosting providers can leave blindspots, as 33% of C&C servers were hosted in the US, many on reputable providers.
  • The hosting providers that had the most command and control servers on their infrastructure were all U.S.-based: Amazon, Digital Ocean, and Choopa.
Image: Recorded Future
Editorial standards