Cobalt Counter Strike

Lokesh J

K7 Computing pvt ltd

Abstract:

Cobalt Strike is a fully-featured Red Team tool which emulates the post-exploitation action of threat actors. Its capabilities include reconnaissance, covert communication using a beacon, browser pivoting, spear phishing, etc., and can also leverage the capabilities of other well-known pentesting tools such as Metasploit and Mimikatz. The sad part is that because Cobalt Strike is so very effective threat actors have been increasingly integrating it as part of  their TTPs with high attack-success rates.

Our deeper investigation of campaigns using Cobalt Strike began when we came across a portable executable masquerading as a legit Microsoft Office Setup with an invalid MS digital signature. Little did we realize that this would lead us to Cobalt Strike in disguise, enveloped in a custom packer bearing 70% code similarities with legit MS applications and ends up downloading the beacon to the victim’s system. We were able to ascertain that this is similar to a file used in the CopyKittens APT’s “Wilted Tulip” operation from 2017. We subsequently handled an Adhubllka ransomware infection case with confirmed evidence of Cobalt Strike use, and deeper investigation of the incident  revealed it to be part of the root of the attack. And just recently  we also got our hands on the Conti ransomware gang’s handbook leak content along with the Cobalt Strike C2 server list.

Cobalt Strike is a painful thorn in our side, and as threat researchers we must determine strategies to counter it, when it is abused by adversaries. Based on use cases in the real-world campaigns mentioned earlier, this paper presents ways and means of thwarting Cobalt Strike at multiple stages of delivery, identifying tell tale signs at the relevant security layers such as  IDS packet-detection of outgoing traffic to flag fake hosts in HTTP headers in the case of malleable profiles, e.g. the HTTP header can assert an Amazon profile but the traffic is directed to some malicious domain. In addition we will present our algorithm for dynamically detecting custom packers, such as the one which mimics MS code, and injectors and loaders, such as the 64-bit Go Loader module, used in campaigns which abuse Cobalt Strike. We can also monitor the frequency of requests made during exfiltration of large data, or the creation of named pipe communication between 2 clients to trigger alerts on suspicious use of Cobalt Strike. In the course of the talk we shall also provide attribution to CopyKittens for one APT campaign and explore the TTPs of the Adhubllka ransomware.