New research shows how Cobalt Strike is being weaponized in campaigns deploying malware ranging from the Trickbot banking Trojan to Bazar.
On Wednesday, Intel 471 published a report exploring the abuse of Cobalt Strike, a commercial penetration testing tool released in 2012 which can be used to deploy beacons on systems to simulate attacks and test network defenses.
In January, security analysts said that Cobalt Strike, alongside the Metasploit framework, was used to host over 25% of all malicious command-and-control (C2) servers deployed in 2020.
The popular penetration testing kit, of which source code for version 4.0 was allegedly leaked online in 2020, has been abused by threat actors for years and has become a go-to tool for advanced persistent threat (APT) groups including Carbanak and Cozy Bear.
According to Fox-IT, thousands of instances of Cobalt Strike abuse have been recorded, but most threat actors will use legacy, pirate, or cracked copies of the software.
"Cobalt Strike has become a very common second-stage payload for many malware campaigns across many malware families," Intel 471 notes. "Access to this powerful and highly flexible tool has been limited by the product's developers, but leaked versions have long spread across the internet."
The researchers say that the existing abuse of Cobalt Strike has been linked to campaigns ranging from ransomware deployment to surveillance and data exfiltration, but as the tool allows users to create malleable C2 architectures, it can be complicated to trace C2 owners.
However, the team has conducted an investigation into the use of Cobalt Strike in post-exploitation activities.
Trickbot was chosen as a starting point. Trickbot banking Trojan operators have dropped Cobalt Strike in attacks dating back to 2019 -- alongside Meterpreter and PowerShell Empire -- as well as in attacks traced by Walmart Global Tech and SentinelLabs.
The Hancitor group (MAN1/Moskalvzapoe/TA511), has also now begun using Cobalt Strike. Once linked to the deployment of the Gozi Trojan and Evil Pony information stealer, as noted by Palo Alto Networks, recent infections have shown that these tools have been replaced with Cobalt Strike. During post-exploit activities, Hancitor will then deploy either a Remote Access Trojan (RAT), information stealers, or, in some cases, spambot malware.
"The group setting up the Cobalt Strike team servers related to Hancitor prefer to host their CS beacons on hosts without a domain," Intel 471 says. "The CS beacons will call home to the same set of IPs. Stagers are downloaded from infrastructure set up via Yalishanda bulletproof hosting service. It's important to note that Hancitor only drops Cobalt Strike on machines that are connected to a Windows domain. When this condition isn't met, Hancitor may drop SendSafe (a spambot), the Onliner IMAP checker, or the Ficker information stealer."
The researchers also explore the use of Cobalt Strike by threat actors distributing the Qbot/Qakbot banking Trojan, of which one of the plugins -- plugin_cobalt_power3 -- enables the pen testing tool.
"The configuration extracted from the Qbot-related Cobalt Strike beacon doesn't show any links to any other groups that we are aware of," the report states. "When comparing this activity to samples reported by other researchers, we observed different public Malleable-C2 profiles used, but commonalities in hosting infrastructure."
Operators of SystemBC malware variants, as reported by Proofpoint, utilizes SOCKS5 proxies to mask network traffic and have been included as a payload in both RIG and Fallout exploit kits. According to Intel 471, ransomware operators have also adopted SystemBC, which has dropped Cobalt Strike during campaigns across 2020 and early 2021. However, the team has not attributed these recent campaigns to specific, known threat actors.
Also of note, in early 2021, Bazar campaigns were recorded as sending and distributing Cobalt Strike rather than typical Bazar loaders used by the threat actors in the past.
"Cobalt Strike is a powerful tool that's being leveraged by people that shouldn't be leveraging it at all: a growing number of cybercriminals," the researchers say. "That said, not all deployments of Cobalt Strike are the same. Some deployments demonstrate bad operational security by re-using infrastructure and not changing their malleable-C2 profiles. Additionally, some operators drop Cobalt Strike on many infected systems, while others will only deploy the tool very selectively."
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0