Researchers Uncover Malicious Use Of Cobalt Strike Servers In Cyber Attacks

Cybersecurity researchers have identified a cluster of servers exploiting the latest version of Cobalt Strike, a legitimate penetration testing tool, for malicious purposes.

The discovery highlights the ongoing misuse of cybersecurity tools by threat actors to facilitate sophisticated cyber attacks.

Cobalt Strike, widely used by security professionals for testing network defenses, has become a favorite among cybercriminals due to its powerful post-exploitation capabilities.

The latest version, 4.10, released in July 2024, introduced advanced features such as BeaconGate for enhanced evasion, Postex Kit for system interaction, and Sleepmask-VS to reduce detection risks.

While these updates were designed to improve legitimate red team operations, they also offer malicious actors new opportunities to evade detection and execute attacks.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

Malicious Infrastructure Discovered

Hunt’s investigation uncovered a group of servers linked by a unique watermark identifier, “688983459,” embedded in the Cobalt Strike software.

This watermark was found across seven IP addresses hosted primarily on Amazon’s infrastructure, with one server using Microsoft’s services.

Network Infrastructre

These servers were configured to mimic legitimate organizations through domains such as “downloads.helpsdeskmicrosoft[.]com” and “public.open-dns[.]uk,” suggesting a targeted phishing campaign aimed at deceiving users.

The domains and configurations indicate that the attackers are likely targeting specific sectors or entities. Notably, the servers lacked recent TLS certificates, possibly to avoid detection or because the infrastructure is still under development.

Key technical indicators include shared SSH keys, configuration patterns, and public keys across the identified servers.

The beacon configurations revealed endpoints like “http://downloads.yourcoupons[.]net/jquery-3.3.1.min.js” and user agents designed to blend in with normal traffic.

Payloads extracted from these servers allowed researchers to further analyze the attackers’ tactics, techniques, and procedures (TTPs).

Researchers also identified another cluster of servers using a watermark associated with pirated versions of Cobalt Strike.

This cluster exhibited significant variation in versions and configurations but underscored the persistent misuse of cracked versions of the tool in cyber campaigns.

This discovery underscores the dual-edged nature of cybersecurity tools like Cobalt Strike. While they are invaluable for legitimate security testing, their misuse by threat actors poses significant risks to organizations worldwide.

The findings highlight the importance of monitoring both common and rare watermarks within such tools to detect emerging threats.

Cybersecurity teams are urged to remain vigilant against infrastructure impersonating trusted brands and to enhance defenses against advanced evasion techniques enabled by tools like Cobalt Strike.

As attackers continue to adapt, proactive threat hunting and robust detection mechanisms remain critical in mitigating risks from such malicious campaigns.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

The post Researchers Uncover Malicious Use Of Cobalt Strike Servers In Cyber Attacks appeared first on Cyber Security News.