The legitimate commercial framework Cobalt Strike, created for pentesters and the red team and focused on exploitation and post-exploitation, has long been loved by hackers, ranging from government APT groups to ransomware operators. Although it is not available to ordinary users and the full version is priced at about $ 3,500 per install, attackers still find ways to use it (for example, relying on old, pirated, hacked and unregistered versions).
Cisco Talos Experts tellthat in the second quarter of this year, the framework was used in 66% of ransomware attacks. Analysts write that the tool is valued by information security specialists and criminals primarily for the ability to deploy listeners on victims' networks. They are used to monitor how infected hosts interact with C&C servers to receive payloads and further commands from attackers.
“The strength of Cobalt Strike is that it offers many answers to tricky questions an attacker might have. Expand listeners and beacons? No problem. Need a shellcode? Easy. Need to create staged / non-staged executables? Done. Given the versatility of Cobalt Strike, its popularity comes as no surprise. Attackers are increasingly relying on Cobalt Strike to operate rather than mainstream malware, ”said Cisco Talos researchers.
In their report, experts write that they analyzed the structure of attacks using the Cobalt Strike framework and developed about 50 signatures for Snort and the ClamAV open source antivirus engine.