Cobalt Strike, a popular red-team tool for detecting software vulnerabilities, has been repurposed by cyberattackers so frequently that publisher Fortra instituted a system for vetting potential buyers. In response, malicious actors have switched to using cracked versions of the software distributed online like any other hacker tool. Google’s Cloud Security team has now come up with a way to counteract these shady uses while not interfering with legitimate ones: version detection.
Threat actors have easy access to Cobalt Strike through pirating, but these illegitimate versions usually cannot be updated, wrote Greg Sinclair, security engineer for cloud threat intelligence at Google. That provides Google researchers with a way to spot potentially malicious use by identifying the version of the software being used, and flagging anything earlier than the current version.
To identify the version, Google researchers analyzed the Cobalt Strike JAR files from the past 10 years and generated signatures for the various components — 165 in all. Then the team bundled the signatures into a VirusTotal collection and released them as open source YARA rules on GitHub.
“Since many threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by disrupting its use we can help protect organizations, their employees, and their customers around the globe,” Sinclair wrote.
Earlier in November, Google Cloud Threat Intelligence released on GitHub a similar set of signatures to detect Sliver, as Bleeping Computer pointed out. The command-and-control framework has been supplanting Cobalt Strike as the repurposed security tool of choice by some threat actors.