According to new research, Cobalt Strike is being weaponized in campaigns that use malware ranging from the Trickbot banking Trojan to Bazar. On Wednesday, Intel 471 released a report on the misuse of Cobalt Strike, a commercial penetration testing tool released in 2012 that can be used to deploy beacons on systems to simulate attacks and test network defenses.
Security analysts reported in January that Cobalt Strike, along with the Metasploit framework, was used to host more than 25% of all malicious command-and-control (C2) servers deployed in 2020. The popular penetration testing kit, the source code for version 4.0 of which was allegedly leaked online in 2020, has been abused for years by threat actors and has become a go-to tool for advanced persistent threat (APT) groups such as Carbanak and Cozy Bear. Thousands of Cobalt Strike abuse incidents have been documented, but the majority of threat actors will use legacy, pirated, or cracked copies of the software.
According to the researchers, existing Cobalt Strike abuse has been linked to campaigns ranging from ransomware deployment to surveillance and data exfiltration, but because the tool allows users to create malleable C2 architectures, tracing C2 owners can be difficult. However, the team has looked into the use of Cobalt Strike in post-exploitation activities.
As a starting point, Trickbot was chosen. Cobalt Strike has been used by trickbot banking Trojan operators in attacks dating back to 2019 – alongside Meterpreter and PowerShell Empire.
Cobalt Strike is now being used by the Hancitor group (MAN1/Moskalvzapoe/TA511). As previously reported by Palo Alto Networks, recent infections have revealed that the Gozi Trojan and Evil Pony information stealer have been replaced by Cobalt Strike. Hancitor will then deploy a Remote Access Trojan (RAT), information stealers, or, in some cases, spambot malware during post-exploit activities.
According to Intel 471, “the group setting up the Cobalt Strike team servers related to Hancitor prefers to host their CS beacons on hosts without a domain.” “The CS beacons will communicate with the same set of IP addresses. Stagers are downloaded from infrastructure that has been set up using the Yalishanda bulletproof hosting service. It’s worth noting that Hancitor will only drop Cobalt Strike on machines that are part of a Windows domain. If this condition is not met, Hancitor may uninstall SendSafe (a spambot), the Onliner IMAP checker, or the Ficker information stealer.” The researchers also investigate the use of Cobalt Strike by threat actors distributing the Qbot/Qakbot banking Trojan, one of whose plugins is Cobalt Strike– plugin_cobalt_power3 — enables the pen testing tool.
“The configuration extracted from the Qbot-related Cobalt Strike beacon does not show any links to other groups that we are aware of,” according to the report. “When we compared this activity to samples reported by other researchers, we discovered that different public Malleable-C2 profiles were used, but that there were similarities in hosting infrastructure.”
SystemBC malware operators use SOCKS5 proxies to mask network traffic and have been included as a payload in both the RIG and Fallout exploit kits. According to Intel 471, ransomware operators have also used SystemBC, which dropped Cobalt Strike during campaigns in 2020 and early 2021. The team, however, has not linked these recent campaigns to specific, well-known threat actors.
It is also worth noting that in early 2021, Bazar campaigns were recorded as sending and distributing Cobalt Strike rather than the typical Bazar loaders used by threat actors in the past.
“Cobalt Strike is a powerful tool that is being used by people who should not be using it at all: a growing number of cybercriminals,” the researchers write. “However, not all Cobalt Strike deployments are the same. Some deployments exhibit poor operational security by reusing infrastructure and failing to update their malleable-C2 profiles. Furthermore, some operators will drop Cobalt Strike on a large number of infected systems, whereas others will only use the tool sparingly.”