Cobalt Strike, a threat emulation tool used by Red Teams, has emerged as a favored weapon for malicious criminal actors and advanced persistent threat (APT) groups in some of the biggest cyber campaigns over the last couple of years, according to a report from Proofpoint.
Cobalt Strike can be used for a wide variety of purposes, including reconnaissance, to deliver ransomware payloads as well as to establish beacons for command and control, according to Daniel Petrillo, director of security strategy and products at Morphisec.
Malicious actors have increased the use of Cobalt Strike 161% between 2019 and 2020, Proofpoint researchers found. The Cobalt Strike Beacon fared prominently in the SolarWinds supply chain hack and the compromise of SITA, an IT company that works with hundreds of international airlines. The Cobalt Strike Beacon was also used in the Nobelium attacks disclosed by Microsoft in May.
Following its launch in 2012, Cobalt Strike is often linked to large criminal actors, including FIN7 or APT actors like APT40 or Leviathan. However, since 2019, Proofpoint researchers said the use of the tool by known threat actors has fallen sharply.
"Our data shows that Cobalt Strike is currently used by more cybercrime and general commodity malware actors than APT and espionage threat actors," Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, said via email. "This means it has gone fully mainstream in the crimeware world."
Offensive security tools are not inherently evil, DeGrippo said, but it is worth reviewing the use of the framework has proliferated among APT groups and criminal actors.
"Threat actors are using as many legitimate tools as possible, including executing Windows processes like PowerShell and WMI, injecting malicious code into legitimate binaries, and frequently using allowable services like Dropbox, Google Drive, SendGrid and Constant Contact to host and distribute malware," she said.
During mid-January to late January, Morphisec tracked a campaign involving the Osiris banking trojan that targeted multiple German manufacturing companies. That campaign eventually spread to companies in the U.S. and Korea and deployed REvil and other similar payloads. Dozens of manufacturing companies that were compromised by a Cobalt Strike framework.
"If successful, Cobalt Strike can give attackers full control over the infected system, the ability to move laterally to other systems, harvest user credentials, execute code and more," Petrillo said.
An additional concern is that Cobalt Strike can evade detection by EDR products, he said.
Correction: This article has been updated to correct Sherrod DeGrippo's pronouns.