CobaltStrike: The Penetration Testing Framework & Our Adversaries

-


CobaltStrike is an advanced penetration testing framework and threat emulation software that was built by Red Teamers for Red Teamers, but is more than often used by our adversaries too. It was designed as a full-scope engagement tool that is supposed to be used to improve security of organisations by identifying weaknesses. However, because it is extremely “hacker friendly” it has been stolen and adopted by organised cybercrime gangs and advanced persistent threat (APT) groups alike. 


CobaltStrike itself is an interesting tool that was built on top of and expands upon the Metasploit framework. It has streamlined penetration testing by automating the Metasploit processes and adding additional modules.


Key features of CobaltStrike (mainly taken from the website):

  • Reconnaissance - profile systems and find their weaknesses. Footprint Operating Systems and discover running services and applications.

  • Access - credential access, bypass authentication, Man-in-the-Middle attacks, social engineering, spear-phishing, and brute-forcing.

  • Post-Exploitation - CobaltStrike Beacons that execute PowerShell scripts, log keystrokes, take screenshots, download files, and spawns other payloads. Meterpreter RAT available for Windows, Java, PHP, Linux. Windows mode enables fileless execution in memory, never touching the disk, and is able to migrate from one process to another. 

  • Covert Communication - CobaltStrike Beacons have malleable network indicators.  Load a C2 profile to look like another actor. Use HTTP, HTTPS, and DNS to egress a network. Use named pipes to control Beacons, peer-to-peer, over the SMB protocol.

  • Browser Pivoting - Use a Browser Pivot to go around two-factor authentication and access sites as your target.

  • Collaboration - Connect to a Cobalt Strike team server to share data, communicate in real-time, and control systems compromised during the engagement.

  • Reporting and Logging - Cobalt Strike's reports provide a timeline and a list of indicators from red team activity. These reports are made to benefit our peers in security operations. Cobalt Strike exports reports as both PDF and MS Word documents.


CobaltStrike's Graphical User Interface

Red Team and CobaltStrike


CobaltStrike often turns up in malware sharing sites as it is detected as malicious by security systems and uploaded to online sandboxes. One recent example of CobaltStrike being directly linked to a Red Team engagement was uncovered by security researchers investigating COVID-19 related threats. Researchers from FireEye found a malicious documented masquerading as the World Health Organization (WHO) that was created with the CobaltStrike framework. Interestingly, this could be linked directly back to the Read Team itself, SEC Consult. [1, 2, 3]


Crimeware and CobaltStrike


The well-established Russian organised cybercrime gang, dubbed EvilCorp, has returned with a new ransomware family dubbed WastedLocker. Attacks associated with WastedLocker’s deployment also exhibited the use of CobaltStrike, opposed to the Empire PowerShell framework due to the developers abandoning it. According to researchers, WastedLocker has been active since May 2020 and is built on a new custom-made code base. It shares a small amount of code with BitPaymer and has a visually similar ransom note. [4]


FireEye also analysed the Maze Ransomware-as-a-Service (RaaS) platform and found that it operates under an affiliate business model and is not just distributed by a single group. Due to multiple actors leveraging Maze in their intrusions, the TTPs are likely to vary depending on the skill of the attackers. Malware, hacking tools, and techniques such as CobaltStrike, Mimikatz, PsExec, and the EternalBlue exploit are all commonly witnessed before Maze ransomware is deployed on the compromised network. [5]


Symantec also reported on recent Sodinokibi ransomware (also known as REvil) activity. Sodinokibi is now targeting Point of Sale (PoS) systems and aims to collect financial information while also encrypting business-critical systems. Many of these attacks also leverage the CobaltStrike exploitation framework to move laterally within target environments. [6]


VK_Intel and SentinelOne also analysed TrickBot’s use of CobaltStrike. The framework’s Beacons’ covert communication was uncovered masquerading as Skype traffic using typosquatting domains to send and receive commands. CobaltStrike is often leveraged in TrickBot and Ryuk attacks to assist with lateral movement and ransomware deployment. [6, 7]


Advanced Persistent Threat groups and CobaltStrike


Cisco Talos reported on a malware campaign that employed military-themed malicious Microsoft Office documents to spread CobaltStrike payloads. This gave full remote control and backdoor access to the threat actors behind the campaign. The malicious documents were distributed in malspam to multiple military and government organisations around South Asia. When one of these documents is opened a modular dropper, dubbed IndigoDrop, is deployed which delivers the final stage CobaltStrike payload. [8]


Zscaler identified a new state-sponsored malspam campaign that is leveraging the India-China border dispute to lure victims into opening a malicious email attachment named “India-China border tensions.doc”. This contains a PowerShell script that downloads shellcode with a valid GIF header and an XOR-encrypted payload. The shellcode decrypts and executes this payload, which turns out to be a CobaltStrike beacon. [9]


CobaltStrike’s use in industrial espionage and intelligence operations is well-documented, often carried out by Chinese APTs such as MustangPanda or APT41. MalwareBytes uncovered a new Chinese espionage campaign leveraging fake CVs to deliver a multi-stage malware attack. The document delivers a .NET executable posing as an ESET command-line utility that downloads and decrypts the final stage CobaltStrike payload. Although the attacks were not attributed to a single group, the attackers used very similar TTPs and targeting styles observed by the aforementioned APT groups. [10]  


Iranian cyberespionage group, tracked as Greenbug, has been recently targeting telecommunications companies across South Asia. There are indicators that this campaign has been going on since at least April 2019, with the most recent attacks observed in April 2020. Various malware and frameworks were used in this extensive campaign, although CobaltStrike Beacons heavily featured in these attacks for lateral movement and to maintain persistence. [11]


ANALYSIS


The use of CobaltStrike in an attack campaign certainly suggests that sophisticated threat actors are behind it. It is mainly used for gaining access, establishing persistence, and lateral movement. It is also often paired with living-off-the-land techniques and other tools or exploits such as Mimikatz or EternalBlue. 


Organisations are reminded to remain vigilant for the CobaltStrike Beacons. Any signs of beaconing will indicate a network compromise. IBM previously revealed a method for stopping attacks involving CobaltStrike - if the problem is spotted and reported quickly enough. Incident responders, in that case, managed to spot external CobaltStrike beaconing to an unrecognised IP where they could then enact quarantine and remediation. This prevented what was estimated to be a $239 million MegaCortex ransomware attack.


Adversaries often now spend more time developing the initial infection chain than on post-exploitation. There is not such a need for custom malware as off-the-shelf tools have already been developed for that purpose. This highlights the importance of monitoring endpoint systems that are typically used as the main infection vector.


Defenders and researchers can track the use of CobaltStrike in the wild that show up on sites like MalwareBazaar by Abuse.ch. This is an interesting feed to monitor as you may find evidence of Red Team engagements or APT campaigns. 


Sources:

https://www.youtube.com/watch?v=XVKRDSLxEeU

https://www.cobaltstrike.com 

https://twitter.com/ItsReallyNick/status/1242485630006935552 

https://bazaar.abuse.ch/sample/4d71f1eab01045de9ae76ea248be7746bad70c12ad977eeb6e8f8e46bbce6395/ 

https://app.any.run/tasks/7b3d112f-2a04-49a6-8cfc-d05a8a6b78d2/

https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/

https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html

https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/

https://twitter.com/VK_Intel/status/1247249887349047298 

https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html

https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/ 

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia 

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more