Detecting Cobalt Strike: Cybercrime Attacks

 

One of the latest researches revealed that cybercriminals who employ malware often use the Cobalt Strike tool to release multiple payloads after checking a compromised network. Cobalt Strike is paid penetration testing software that provides access to cyber attackers to execute an agent named 'Beacon' into the system of targeted personality. 

Cobalt Strike sends out beacons to detect network vulnerabilities which then deliver malware to create fake command-and-control (C2) profiles that appear genuine. Beacon provides so many functions to the attackers including, keylogging, SOCKS proxying, file transfer, privilege escalation, port scanning, mimikatz, and lateral movement. 

Cobalt Strike comes with a toolkit for developing shellcode loaders, named Artifact Kit. The Cobalt Strike tool kit is used by both parties including the security community as well as cybercriminals. 

Secureworks Counter Threat Unit (CTU) researchers’ team conducted an investigation on the use of Cobalt Strike to get information like when and how the tool has been used by the threat actors. The acquired information will work in favor of organizations to secure their systems against threat actors. 

Having a comprehensive understanding of the threat actor's end goal is essential while trying to secure the system. For instance, the financially motivated GOLD LAGOON cybercriminals group employs the Qakbot botnet to drop Cobalt Strike into the victims’ machine. CTU researchers team learned that GOLD LAGOON is executing Cobalt Strike to Qakbot-infected hosts that are often identified as members of an Active Directory domain. The group that has been active since 2007 also facilitates other cybercriminal groups that drop various ransomware families in compromised networks. 

The early detection of compromised interwork helps cybersecurity communities to recover or fix the victims’ system as soon as possible as highlighted by two similar incidents. 

In the first event, Secureworks incident responders helped the victim recover from a REvil ransomware attack. In the second incident, Secureworks Taegis™ XDR countermeasures detected and alerted the malicious Qakbot and Cobalt Strike activity into the system that enabled network protectors to mitigate the intrusion before the ransomware was deployed. However, the presence of illegal Cobalt Strike versions on the dark web gives chances to threat actors to misuse it.