google-identifies-34-cracked-versions-of-popular-cobalt-strike-hacking-toolkit-in-the-wild

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Google Identifies 34 Cracked Versions of Popular Cobalt Strike Hacking Toolkit in the Wild

Google Cloud last week disclosed that it identified 34 different hacked release versions of the Cobalt Strike tool in the wild, the earliest of which shipped in November 2012.

The versions, spanning 1.44 to 4.7, add up to a total of 275 unique JAR files, according to findings from the Google Cloud Threat Intelligence (GCTI) team. The latest version of Cobalt Strike is version 4.7.2.

Cobalt Strike, developed by Fortra (née HelpSystems), is a popular adversarial framework used by red teams to simulate attack scenarios and test the resilience of their cyber defenses.

It comprises a Team Server that acts as the command-and-control (C2) hub to remotely commandeer infected devices and a stager that’s designed to deliver a next-stage payload called the Beacon, a fully-featured implant that reports back to the C2 server.

Given its wide-ranging suite of features, unauthorized versions of the software have been increasingly weaponized by many a threat actor to advance their post-exploitation activities.

“While the intention of Cobalt Strike is to emulate a real cyber threat, malicious actors have latched on to its capabilities, and use it as a robust tool for lateral movement in their victim’s network as part of their second-stage attack payload,” Greg Sinclair, a reverse engineer at Google’s Chronicle subsidiary, said.

In a bid to tackle this abuse, GCTI has released a set of open source YARA Rules to flag different variants of the software used by malicious hacking groups.

The idea is to “excise the bad versions while leaving the legitimate ones untouched,” Sinclair said, adding “our intention is to move the tool back to the domain of legitimate red teams and make it harder for bad guys to abuse.”


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

LastPass Discloses Second Breach in Three Months

LastPass Discloses Second Breach in Three Months

An attacker who breached the software development environment at LastPass this August and stole source code and other proprietary data…
Artifact Poisoning in GitHub Actions Imports Malware via Software Pipelines

Artifact Poisoning in GitHub Actions Imports Malware via Software Pipelines

An attacker submitting changes to an open source repository on GitHub could cause downstream software projects that include the latest…
One Year After Log4Shell, Most Firms Are Still Exposed to Attack

One Year After Log4Shell, Most Firms Are Still Exposed to Attack

The Log4j vulnerability continues to present a major threat to enterprise organizations one year after the Apache Software Foundation disclosed…