How Cobalt Strike Became a Favorite Tool of Hackers

Cobalt Strike was created a decade ago by Raphael Mudge as a tool for security professionals. It’s a comprehensive platform that emulates very realistic attacks. Indeed, the tool can assess vulnerabilities and run penetration tests, while most tools on the market cannot do both.

Indeed, vulnerability assessment and pentesting are two different things. The first consists of identifying vulnerabilities that could be used by hackers, not exploiting them. Pentesting involves vulnerability exploitation and post-exploitation actions – the idea is to conduct a real attack, like cybercriminals would do, except with an explicit authorization from the company.

Cobalt Strike – now owned by HelpSystems – provides various packages and tools to detect outdated software, generate malware, test endpoints, or run spear phishing campaigns that maximize success rate. In other words, it emulates all adversarial techniques, including the sophisticated ones, in a pretty efficient way.

The tool is so powerful that black hat hackers and international threat groups have added it to their arsenal. They even created a Linux version, as Linux servers are prevalent in cloud computing environments and the detection rate of a Linux variant would be pretty low.

A recent column by cybersecurity researcher Brian Krebs described the lengths that the Conti ransomware group went to acquire a legitimate Cobalt Strike license for its reconnaissance efforts, highlighting the value hackers place on the tool.

Also read: 13 Best Vulnerability Scanner Tools for 2022

Cobalt Strike Attacks Make Headlines

Recently, security researchers found evidence of Cobalt Strike payloads in Microsoft SQL servers. These servers are a pretty popular database management system for various applications, from the largest to the smallest, and thus contain a lot of sensitive data.

After gaining unauthorized access, the hackers implanted the payload into a legitimate Windows dll (wwanmm.dll) to avoid memory-base detection.

BlackByte, a notorious ransomware group, recently exfiltrated financial data from the National Football League’s San Francisco 49ers and demanded a ransom. After exploiting a vulnerability in Microsoft Exchange servers, the hackers operated pretty much the same way by implanting Cobalt Strike to establish a communication channel.

Cobalt Strike is routinely in the headlines, and that trend will likely continue, as the tool is notoriously difficult to detect.

The Perfect Weapon for Stealth Attacks

Cobalt Strike has an extensive range of tools, but the best feature for threat actors is probably its ability to create connections (using Cobalt Strike servers) to compromise networks and create persistent channels between the target and the attackers.

It can be achieved through Beacon, a payload (or an agent) provided by Cobalt Strike that can be installed as a client for the attackers on the targeted machine as a post-exploitation tool. Once activated, the Beacon allows for uploading files and sending command-and-control instructions stealthily, which is precisely what advanced threat actors want.

The Cobalt Strike’s Command and Control protocol is a DNS-based communication that is pretty hard to detect compared to classic HTTP traffic. It’s a pretty clever way to hide malicious instructions using DNS entries and some obfuscation algorithm the Beacon can decode.

Once the Beacon is implanted, malicious activities such as network monitoring, data exfiltration, further lateral movements, or ransomware attacks can happen.

Detecting Cobalt Strike Attacks

Intezer revealed that because Cobalt Strike’s payloads are “usually shellcode encrypted with a rolling XOR key,” static analysis and hash detection is much harder. Another term used to describe Cobalt Strike’s payloads is “fileless code.”

However, Intezer thinks it can be detected by combining multiple approaches. “The best way to detect Cobalt Strike code is through a combination of dynamic, static, and genetic analysis,” the company’s blog says, noting the importance of in-memory code scans.

Secureworks notes that the process of “deploying Cobalt Strike Beacon to additional servers from a compromised host lets network defenders detect the service established on the remote host, the admin share launching content, and the resulting command execution,” adding that “By default, Cobalt Strike always leverages the Rundll32 utility for command execution. ”

SIEM vendor Logpoint also outlines some detection methods via Rundll32, Regsvr32 and intrusion detection.

Also read: Top Endpoint Detection & Response (EDR) Solutions for 2022

Cobalt Strike Isn’t the Only Threat

Top-rated security products are attractive for bad actors too, particularly offensive tools. They like to divert security features into attacking weapons, and frameworks such as Metasploit or Cobalt Strike make hacking significantly faster and easier.

Cobalt strike is a premium product. However, like Metasploit, there’s a free community edition called Community Kit. Besides, hackers use old leaked versions of the software to create their own version and port it on unsupported systems.

Whether or not open-sourcing such tools is an ethical decision is not really relevant, as there are already many tools in the wild, and dark open-sourcing is rising.

If you consider security tools as Pandora’s box, someone opened that box decades ago. I’m more worried about the vicious circle of threats:

  1. Vulnerable organizations create business for security companies
  2. Some companies buy security solutions so the providers are encouraged to create more and more sophisticated tools to spot vulnerabilities and pen-test computer systems
  3. Threat actors manage to grab these tools (eg, open source, leaks), divert them, and add new features to attack organizations, making organizations vulnerable again
  4. Back to the starting point

You might say cybercriminals are skilled enough to create their own tools. While that’s true, it requires time, effort, and energy. Unless there’s absolutely no alternative and it’s worth it, hackers would probably rather use existing tools, as a pragmatic approach.

Recreating Cobalt Strike, perhaps with less tested and robust features, would be pointless.

Not everybody can afford security expertise and such expensive tools, which widens the already existing gap between organizations, both among the attackers and the attacked. Everyone needs to stay vigilant, but for the organizations with the most sensitive data and the most to lose, it’s critical to stay on top of threats – and to make sure your vendors are too.

Read next: Best SIEM Tools & Software for 2022

Leave a Comment