CobaltStrike: The Penetration Testing Framework & Our Adversaries
CobaltStrike is an advanced penetration testing framework and threat emulation software that was built by Red Teamers for Red Teamers, but is more than often used by our adversaries too. It was designed as a full-scope engagement tool that is supposed to be used to improve security of organisations by identifying weaknesses. However, because it is extremely “hacker friendly” it has been stolen and adopted by organised cybercrime gangs and advanced persistent threat (APT) groups alike.
CobaltStrike itself is an interesting tool that was built on top of and expands upon the Metasploit framework. It has streamlined penetration testing by automating the Metasploit processes and adding additional modules.
Key features of CobaltStrike (mainly taken from the website):
Reconnaissance - profile systems and find their weaknesses. Footprint Operating Systems and discover running services and applications.
Access - credential access, bypass authentication, Man-in-the-Middle attacks, social engineering, spear-phishing, and brute-forcing.
Post-Exploitation - CobaltStrike Beacons that execute PowerShell scripts, log keystrokes, take screenshots, download files, and spawns other payloads. Meterpreter RAT available for Windows, Java, PHP, Linux. Windows mode enables fileless execution in memory, never touching the disk, and is able to migrate from one process to another.
Covert Communication - CobaltStrike Beacons have malleable network indicators. Load a C2 profile to look like another actor. Use HTTP, HTTPS, and DNS to egress a network. Use named pipes to control Beacons, peer-to-peer, over the SMB protocol.
Browser Pivoting - Use a Browser Pivot to go around two-factor authentication and access sites as your target.
Collaboration - Connect to a Cobalt Strike team server to share data, communicate in real-time, and control systems compromised during the engagement.
Reporting and Logging - Cobalt Strike's reports provide a timeline and a list of indicators from red team activity. These reports are made to benefit our peers in security operations. Cobalt Strike exports reports as both PDF and MS Word documents.
Red Team and CobaltStrike
CobaltStrike often turns up in malware sharing sites as it is detected as malicious by security systems and uploaded to online sandboxes. One recent example of CobaltStrike being directly linked to a Red Team engagement was uncovered by security researchers investigating COVID-19 related threats. Researchers from FireEye found a malicious documented masquerading as the World Health Organization (WHO) that was created with the CobaltStrike framework. Interestingly, this could be linked directly back to the Read Team itself, SEC Consult. [1, 2, 3]
Crimeware and CobaltStrike
The well-established Russian organised cybercrime gang, dubbed EvilCorp, has returned with a new ransomware family dubbed WastedLocker. Attacks associated with WastedLocker’s deployment also exhibited the use of CobaltStrike, opposed to the Empire PowerShell framework due to the developers abandoning it. According to researchers, WastedLocker has been active since May 2020 and is built on a new custom-made code base. It shares a small amount of code with BitPaymer and has a visually similar ransom note. [4]
FireEye also analysed the Maze Ransomware-as-a-Service (RaaS) platform and found that it operates under an affiliate business model and is not just distributed by a single group. Due to multiple actors leveraging Maze in their intrusions, the TTPs are likely to vary depending on the skill of the attackers. Malware, hacking tools, and techniques such as CobaltStrike, Mimikatz, PsExec, and the EternalBlue exploit are all commonly witnessed before Maze ransomware is deployed on the compromised network. [5]
Symantec also reported on recent Sodinokibi ransomware (also known as REvil) activity. Sodinokibi is now targeting Point of Sale (PoS) systems and aims to collect financial information while also encrypting business-critical systems. Many of these attacks also leverage the CobaltStrike exploitation framework to move laterally within target environments. [6]
VK_Intel and SentinelOne also analysed TrickBot’s use of CobaltStrike. The framework’s Beacons’ covert communication was uncovered masquerading as Skype traffic using typosquatting domains to send and receive commands. CobaltStrike is often leveraged in TrickBot and Ryuk attacks to assist with lateral movement and ransomware deployment. [6, 7]
Advanced Persistent Threat groups and CobaltStrike
Cisco Talos reported on a malware campaign that employed military-themed malicious Microsoft Office documents to spread CobaltStrike payloads. This gave full remote control and backdoor access to the threat actors behind the campaign. The malicious documents were distributed in malspam to multiple military and government organisations around South Asia. When one of these documents is opened a modular dropper, dubbed IndigoDrop, is deployed which delivers the final stage CobaltStrike payload. [8]
Zscaler identified a new state-sponsored malspam campaign that is leveraging the India-China border dispute to lure victims into opening a malicious email attachment named “India-China border tensions.doc”. This contains a PowerShell script that downloads shellcode with a valid GIF header and an XOR-encrypted payload. The shellcode decrypts and executes this payload, which turns out to be a CobaltStrike beacon. [9]
CobaltStrike’s use in industrial espionage and intelligence operations is well-documented, often carried out by Chinese APTs such as MustangPanda or APT41. MalwareBytes uncovered a new Chinese espionage campaign leveraging fake CVs to deliver a multi-stage malware attack. The document delivers a .NET executable posing as an ESET command-line utility that downloads and decrypts the final stage CobaltStrike payload. Although the attacks were not attributed to a single group, the attackers used very similar TTPs and targeting styles observed by the aforementioned APT groups. [10]
Iranian cyberespionage group, tracked as Greenbug, has been recently targeting telecommunications companies across South Asia. There are indicators that this campaign has been going on since at least April 2019, with the most recent attacks observed in April 2020. Various malware and frameworks were used in this extensive campaign, although CobaltStrike Beacons heavily featured in these attacks for lateral movement and to maintain persistence. [11]
ANALYSIS
The use of CobaltStrike in an attack campaign certainly suggests that sophisticated threat actors are behind it. It is mainly used for gaining access, establishing persistence, and lateral movement. It is also often paired with living-off-the-land techniques and other tools or exploits such as Mimikatz or EternalBlue.
Organisations are reminded to remain vigilant for the CobaltStrike Beacons. Any signs of beaconing will indicate a network compromise. IBM previously revealed a method for stopping attacks involving CobaltStrike - if the problem is spotted and reported quickly enough. Incident responders, in that case, managed to spot external CobaltStrike beaconing to an unrecognised IP where they could then enact quarantine and remediation. This prevented what was estimated to be a $239 million MegaCortex ransomware attack.
Adversaries often now spend more time developing the initial infection chain than on post-exploitation. There is not such a need for custom malware as off-the-shelf tools have already been developed for that purpose. This highlights the importance of monitoring endpoint systems that are typically used as the main infection vector.
Defenders and researchers can track the use of CobaltStrike in the wild that show up on sites like MalwareBazaar by Abuse.ch. This is an interesting feed to monitor as you may find evidence of Red Team engagements or APT campaigns.
Sources:
https://www.youtube.com/watch?v=XVKRDSLxEeU
https://twitter.com/ItsReallyNick/status/1242485630006935552
https://bazaar.abuse.ch/sample/4d71f1eab01045de9ae76ea248be7746bad70c12ad977eeb6e8f8e46bbce6395/
https://app.any.run/tasks/7b3d112f-2a04-49a6-8cfc-d05a8a6b78d2/
https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/
https://twitter.com/VK_Intel/status/1247249887349047298
https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html