![]() Each sample loads a different implant type, namely an SMB, HTTPS and stager beacon. In the next few sections, we’re going to take a closer look into three different Cobalt Strike loaders that were detected out of the box by a new hypervisor based sandbox we designed to allow us to analyze artifacts in memory. It’s also often unclear if a loader was created by a red team or a real malicious actor, thus making attribution even more challenging. As the payload is present in memory in its original form, it can be detected easily due to some specific characteristics.Īs malware researchers, we often see potentially interesting malicious samples that turn out to just be loaders for Cobalt Strike. ![]() When the file loader is executed by a victim, it decrypts/decodes the payload into memory and runs it. This payload is typically embedded into a file loader in encrypted or encoded form. A threat actor can use a builder with numerous deployment and obfuscation options to create the final payload based on a customizable template. In many cases, Cobalt Strike is a natural choice for gaining an initial footprint in a targeted network. This is a challenge to many security software products, as scanning memory is anything but easy. This situation poses a problem for detection when the payload is statically armored, exists only in memory and refuses to execute. One of the main advantages of Cobalt Strike is that it mainly operates in memory once the initial loader is executed. It was designed from the ground up to help red teams armor their payloads to stay ahead of security vendors, and it regularly introduces new evasion techniques to try to maintain this edge. The main driver for the proliferation of Cobalt Strike is that it is very good at what it does. ![]() Related Unit 42 TopicsĬatching Cobalt Strike Through Analyzing Its Memory Malware authors abusing Cobalt Strike even played a role in the infamous SolarWinds incident in 2020. However, it’s not only popular among red teams, but it is also abused by many threat actors for malicious purposes.Īlthough the toolkit is only sold to trusted entities to conduct realistic security tests, due to source code leaks, its various components have inevitably found their way into the arsenal of malicious actors ranging from ransomware groups to state actors. It is one of the most well-known adversary simulation frameworks for red team operations. We will also discuss the evasion tactics used by these threats, and other issues that make their analysis problematic.Ĭobalt Strike is a clear example of the type of evasive malware that has been a thorn in the side of detection engines for many years. Unit 42 researchers examine several malware samples that incorporate Cobalt Strike components, and discuss some of the ways that we catch these samples by analyzing artifacts from the deltas in process memory at key points of execution.
0 Comments
Leave a Reply. |