![]() ![]() This may suggest multiple threat actors are performing post-infection activity that leads to ransomware and data exfiltration. In May 2021, The DFIR report blogged their observations when discovering Cobalt Strike activity after an intrusion that started with Trickbot.Įven though the same gtag is behind both Cobalt Strike deployments, the configuration extracted from the beacons completely differs from those observed in the DFIR Report article. Other sources have also reported Cobalt Strike activity originating from the rob Trickbot infections. ![]() The Cobalt Strike watermark that Intel 471 discovered from Trickbot payloads is 305419896. That may be an indicator that different threat groups may be using the same tool, but leveraged different TTPs.Īs a reference, the following table gathers the Cobalt Strike hashes collected by our tracking that were originated with Trickbot “rob” gtag:Ĭrypt_run2.exeĒ46c91ac7955ba97cc3c1aaf7b35a1798b72d7a3f82dca445e2e401430697cebĬrypt_run1.exe c4b4eb963c91fb4e82b0fbe510c35212d1f59850de82b04b0916ffd0cf5ef2af Our events registering Cobalt Strike as a download & execute were recorded right after Trickbot issued the modules that the malware fetches when initiating an infection. The watermark - a distinct number attached to the make and model of Cobalt Strike - observed in the payload is 1359593325.Īnother security researcher has detailed in his blog the phases that originated with an Emotet infection, a subsequent Trickbot install, plus the use of a series of plot-exploitation tools and frameworks that eventually took advantage of Cobalt Strike.Īs an example, Cobalt Strike was loaded in an advanced stage of the operation detailed in the blog post above. Walmart Global Tech has published details from a ransomware operation involving Cobalt Strike leveraged by a group utilizing the Trickbot banking trojan. Other researchers have also written about Cobalt Strike activity originating from TrickBot infections. We noticed that the Malleable-C2 profile was based off this public profile on Github: Each Cobalt Strike variant was fetched from the very same server (http//107.173.49.118) and tried to connect to https// (http//217.12.201.194) based on the preferred communication protocol. Trickbot operators using the “rob” gtag pushed a variety of Cobalt Strike stagers (http, https, x86, 圆4) through Trickbot’s download-and-execute capabilities (command 43). We recently observed Trickbot infections associated with a specific “gtag” - a tracking ID used by the malware’s developers - directly dropping Cobalt Strike stagers that were code-signed by Sectigo. Public reports of Trickbot operators dropping Cobalt Strike go back to 2019. It should come as no surprise that Trickbot is on this list. The following takes a deeper look at which threat actor groups and malware families are dropping Cobalt Strike for post-exploitation. Additionally, Cobalt Strike allows users to build “malleable” command and control, which allows for easy modifications of network signatures.ĭespite the obfuscation techniques, Intel 471 has collected a wealth of information on how the cybercrime underground has refashioned this security tool to its advantage. Despite all of the cybercriminal activity that can be launched with this pen testing tool, it can be difficult to figure out who is actually controlling a malicious Cobalt Strike team server. The cybercrime underground’s adoption of Cobalt Strike correlates with the rise in ransomware activity over the past few years, while also being tied to numerous other types of malware that either lead to ransomware attacks, data exfiltration, or both. Additionally, there are tons of tutorials, education videos and other public documentation that can help newcomers understand how to effectively use it, lowering the bar for entry in the cybercrime world. Access to this powerful and highly flexible tool has been limited by the product’s developers, but leaked versions have long spread across the internet. And if they are using it, it’s definitely not to simulate any sort of attack.Ĭobalt Strike has become a very common second-stage payload for many malware campaigns across many malware families. However, there is a downside to that popularity: the criminals love it, too. Since its release in 2012, Cobalt Strike has been one of the most popular tools for penetration testers to use when simulating how known threat actor tools will look when targeting an organization's network. Look how many cybercriminals love Cobalt Strike ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |