Vulnerability exposes location of thousands of malware C&C servers

An extra whitespace in a server response allowed a security firm to track a hackers' favorite tool for years.
Written by Catalin Cimpanu, Contributor

A vulnerability in a tool used by cyber-criminal gangs is now helping researchers expose the locations of thousands of malware command-and-control (C&C) servers.

The vulnerability --now patched since the start of the year-- affected Cobalt Strike, a legitimate penetration testing tool used by security researchers to emulate cyber-attacks.

Cobalt Strike has been around for more than a decade, but for the past five years, it has slowly been adopted by cyber-criminal groups as well.

Malware gangs and nation-state cyber-espionage groups have used Cobalt Strike because of its simple and very efficient client-server architecture.

Cyber-criminals use Cobalt Strike to host their C&C servers, and then deploy malware on company networks through Cobalt "beacons" they plant on infected hosts.

Over the past few years, Cobalt Strike slowly became the go-to toolkit for many threat actors, such as the FIN6 and FIN7 (Carbanak) cyber-criminal gangs, but also nation-state hackers such as APT29 (Cozy Bear).

But unbeknownst to all these hacker groups was that Fox-IT researchers discovered a bug in the Cobalt Strike server component. Built on NanoHTTPD, a Java-based web server, crooks didn't know that it contained a bug that allowed Fox-IT to track them since 2015.

According to Fox-IT researchers, the NanoHTTPD server accidentally added an additional space in the server's HTTP responses, like in the image below.

The Cobalt Strike extra whitespace
Image: Fox-IT

This extra whitespace allowed Fox-IT to detect Cobalt Strike communications between beacons and their C&C servers across the years, until January 2, 2019, when Cobalt Strike developers patched the bug and removed the extra space in version 3.13.

"In total Fox-IT has observed 7718 unique Cobalt Strike team server or NanoHTTPD hosts between the period of 2015-01 and 2019-02," the company said in a blog post this week.

Because the issue is now patched, Fox-IT researchers revealed this little trick, along with a list of historical IP addresses that used to or are still hosting Cobalt Strike C&C servers.

The company hopes that security teams use this list to check their network logs for these IP addresses and identify past or current security breaches.

Some of these IP addresses might belong to legitimate Cobalt Strike instances hosted by security firms for testing purposes, but Fox-IT believes that many of these are also from hacker groups.

They said that a cursory examination of their list of 7,700+ IP addresses revealed malware C&C servers tied to China's APT10 government hacking unit, the Bokbot banking trojan, and servers managed by remnants of the Cobalt Group (also known as FIN7 or Carbanak).

KnownSec 404 Team, a Chinese cyber-security company that runs the ZoomEye IoT search engine confirmed Fox-IT's discovery by identifying 3,643 Cobalt Strike NanoHTTPD-based servers that are still operational at this moment --86 percent of which were also on Fox-IT's list, the company said.

Fox-IT says that current scans for the extra whitespace are turning fewer and fewer results, as servers are getting patched.

However, the company says that most threat actors tend to use pirated, cracked, and unregistered versions of the Cobalt Strike software, and therefore will remain unpatched for a long time to come.

As legitimately-owned servers will receive the Cobalt Strike patch, most of the servers that will come up during scans in the coming future will most likely be part of malware operations.

Cobalt Strike servers stats
Image: Fox-IT

Cybercrime and malware, 2019 predictions

Malware and cyber-crime related coverage:

Editorial standards