| |

What is "Cobalt Strike"? Are there other similar threats?

Nigel Morris-Co...

A good thing used for bad purposes. Sometimes.

While Cobalt Strike is the market leader, it is far from the only threat assessment tool - and others are even easier for criminals to make use of - on every server, desktop and mobile platform except, it seems, Apple mobiles.

Cobalt Strike was developed as threat emulation software, used for penetration testing. In its original form, it is a legitimate product from a genuine company. And it's not cheap. But cracked and hacked versions are readily available on the internet and, of course, traded between criminals.

Since the launch of the product in 2012, it has become, according to Intel471 "one of the most popular tools for penetration testers." Sadly, it has also become a tool of choice for criminals, even though the company has taken steps to try to contain its distribution.

It turns out that Microsoft wasn't the first to notice that bad people had manipulated a good thing. At Intel471, on 19th May, it said " Cobalt Strike has become a very common second-stage payload for many malware campaigns across many malware families.

"Access to this powerful and highly flexible tool has been limited by the product’s developers, but leaked versions have long spread across the internet. Additionally, there are tons of tutorials, education videos and other public documentation that can help newcomers understand how to effectively use it, lowering the bar for entry in the cybercrime world.

"The cybercrime underground’s adoption of Cobalt Strike correlates with the rise in ransomware activity over the past few years, while also being tied to numerous other types of malware that either lead to ransomware attacks, data exfiltration, or both."

This report is helpful: https://www.intel471.com/blog/...

Cobalt Strike works on Windows but there is a cross-platform gateway that operates on e.g. Linux and Android. There is no readily information as to whether this allows exploits on mobiles and non-Windows desktops, etc.

Cobalt Strike is far from the only such "tool" available and most do not restrict who can obtain it nor how they modify it.

For example, Metasploit is open source, free "for personal use" and operates on Windows, Linux and BSD, a form of UNIX similar to Linux and no longer under development but still in widespread use in a variety of "forks."

Armitage is also free, open source and used on Mac, Windows and Linux.

In fact, we found 14 similar programmes, most of which were open source (i.e. can be freely modified) and many of which were free of charge or free with paid features.

One, in particular, interested us: andspoilt - free, open source, for Linux with wine but specifically marketed as "Android hacking toolkit for creating payloads and launching exploits." It has very limited information, most of which says it doesn't work properly, and appears to have not been updated, in public, since 2018. But the source code is still available and criminal gangs can easily obtain it, modify it and deploy it on both Android phones and Linux devices.

See also "US Court authorises seizure of domain names used for criminal purposes" here: https://www.pleasebeinformed.c...

---------------- Advertising ----------------