YARA rules released to detect threat actors’ use of Cobalt Strike

IT security teams are getting a new weapon to detect one of the most popular tools used by threat actors to distribute malware: cracked versions of the Cobalt Strike attack framework.

Google has released a set of open-source YARA Rules and their integration as a VirusTotal Collection to help infosec pros flag and identify Cobalt Strike’s components and its respective versions. “Since many threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by disrupting its use, we can help protect organizations, their employees, and their customers around the globe,” Greg Sinclair, a security engineer at Google’s Cloud Threat Intelligence division, said in a blog.

Created as a commercial product in 2012 and now sold by Fortra, Cobalt Strike was designed as a toolkit for red teamers to test the resilience of their organization’s cyber defenses.

Wrapped into a JAR file, it includes a Team Server component, which sets up a centralized server that operates as both a Command and Control (C2) endpoint and a coordinating hub for multiple actors to control infected devices. There are several delivery templates for Javascript, VBA macros, and Powershell scripts that can deploy small shell code (diskless) implants known as stagers. These stagers call back to the Team Server via one of the supported communication channels, including HTTP/HTTPS, SMB, and DNS, to download the final stage implant known as the Beacon. The Beacon is the core binary that gives the actor control over the infected computer.

Small wonder threat actors looked at this and said, “Wow.” And began making copies of it to help in their initial attacks and malware distribution. Google has found 34 different and illegal versions of Cobalt Strike, including copies of the current version, 4.7.

https://storage.googleapis.com/gweb-cloudblog-publish/images/GC-Op27_graph.max-2200x2200.jpg

A typical Cobalt Strike infrastructure setup. Google image

Detecting Cobalt Strike or its clones isn’t easy. For each release version of Cobalt Strike, a new, unique beacon component is usually created. Google had to generate 165 signatures for Cobalt Strike components across all non-current versions. That’s because, typically, leaked and cracked versions of Cobalt Strike are one release version behind the current, commercial version.

The YARA rules created by Google, which can be downloaded from VirusTotal, can be used for malware detection applications from vendors including AlienVault, Cisco Systems, ESET, Forcepoint, Kaspersky, McAfee/Trellix, SonicWall, Trend Micro and many others.

“Our intention,” says Google’s Sinclair, “is to move the tool back to the domain of legitimate red teams and make it harder for bad guys to abuse.”

This isn’t the first effort for detecting bad versions of Cobalt Strike. For example, in 2020 Cisco Systems released SNORT and ClamAV detection signatures, as well as a research paper on detecting Cobalt Strike.

Want to know how your security team can detect abuse of Cobalt Strike? Mandiant wrote this detailed blog to help defenders understand artifacts to look for. Microsoft offers advice as well, and Secureworks notes that by default, Cobalt Strike always leverages the Rundll32 utility for command execution.

There are other commercial penetration testing tools that have been cloned. One is Brute Ratel C4. Another, pointed out by Proofpoint, is Sliver, an open-source, cross-platform adversary simulation and red team platform.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.