Hackers have begun to use fake ads for Microsoft Teams updates to infect computers with backdoor entry points using Cobalt Strike. Once infected, this malware strain can compromise entire networks. The attacks target organizations in several different industries, but more recently have focused on the education sector, which is dependent on video conferencing apps due to the rise in Covid-19 restrictions.
What is Cobalt Strike Malware?
Cobalt Strike was originally developed for ethical hackers as a threat emulation and penetration testing, but like many other cybersecurity tools, it has been compromised for malicious purposes. This platform combines social engineering, unauthorized access tools, network pattern obfuscation, and a mechanism for deploying code against victims. Hackers can also use it to initiate advanced persistent threat (APT) attacks against organizations. While Cobalt Strike is a legitimate tool used by so-called “white hat” hackers and carries a price tag of $3,500 per user, “black hat” hackers have now taken to using the trial version of Cobalt Strike and cracking its software protection to manipulate its nefarious potential.
The Cobalt Strike testing toolkit is popular among ransomware families dominating the threat landscape because it’s stable and exceptionally adaptable. It tends to be repurposed to deploy all types of payloads. Cobalt Strike has been observed in several Ryuk ransomware campaigns, as well as cyber attacks involving ransomware such as LockBit and Sodinokibi. In late September 2020, Ryuk ransomware carried out a phishing campaign using malicious documents hosted on docs.google.com, and with the aid of Cobalt Strike, managed to compromise a large company’s network. Once the Ryuk ransomware deployed a Cobalt Strike beacon, it stole network admin credentials, and proceeded to move laterally on the network.
Cobalt Strike provides the following capabilities to cybercriminals:
Reconnaissance:
Cobalt Strike can determine which client-side software your target uses, with version info to identify any known vulnerabilities.
Attack Packages:
Cobalt Strike provides a social engineering attack engine and can create trojans masked as innocent files, including Java Applets, Microsoft Office documents or Windows programs, and offers a website clone to allow drive-by downloads.
Collaboration:
Cobalt Team Server allows hosts to share information with a hacking group and communicate in real-time as they share control of compromised systems.
Post Exploitation:
Cobalt Strike employs Beacon, a file dropper that deploys PowerShell scripts, log keystrokes, records screenshots, download files, and executes other payloads.
Covert Communication:
Cobalt Strike can enable attackers to modify network indicators on the fly, making it possible to load C2 profiles to appear like another actor, and egress into the victims network using HTTP, HTTPS, DNS or SMB protocol.
According to Cisco Talos Q4 2020 CTIR report, 66% of all ransomware attacks this quarter involved the use of Cobalt Strike.
