It shares a small amount of code with BitPaymer and has a visually similar ransom note. According to researchers, WastedLocker has been active since May 2020 and is built on a new custom-made code base. Attacks associated with WastedLocker’s deployment also exhibited the use of CobaltStrike, opposed to the Empire PowerShell framework due to the developers abandoning it. The well-established Russian organised cybercrime gang, dubbed EvilCorp, has returned with a new ransomware family dubbed WastedLocker. Interestingly, this could be linked directly back to the Read Team itself, SEC Consult. Researchers from FireEye found a malicious documented masquerading as the World Health Organization (WHO) that was created with the CobaltStrike framework. One recent example of CobaltStrike being directly linked to a Red Team engagement was uncovered by security researchers investigating COVID-19 related threats. Cobalt Strike exports reports as both PDF and MS Word documents.ĬobaltStrike often turns up in malware sharing sites as it is detected as malicious by security systems and uploaded to online sandboxes. These reports are made to benefit our peers in security operations. Reporting and Logging - Cobalt Strike's reports provide a timeline and a list of indicators from red team activity. Use named pipes to control Beacons, peer-to-peer, over the SMB protocol.īrowser Pivoting - Use a Browser Pivot to go around two-factor authentication and access sites as your target.Ĭollaboration - Connect to a Cobalt Strike team server to share data, communicate in real-time, and control systems compromised during the engagement. Use HTTP, HTTPS, and DNS to egress a network. Load a C2 profile to look like another actor. Windows mode enables fileless execution in memory, never touching the disk, and is able to migrate from one process to another.Ĭovert Communication - CobaltStrike Beacons have malleable network indicators. Meterpreter RAT available for Windows, Java, PHP, Linux. Post-Exploitation - CobaltStrike Beacons that execute PowerShell scripts, log keystrokes, take screenshots, download files, and spawns other payloads. Footprint Operating Systems and discover running services and applications.Īccess - credential access, bypass authentication, Man-in-the-Middle attacks, social engineering, spear-phishing, and brute-forcing. Reconnaissance - profile systems and find their weaknesses. Key features of CobaltStrike (mainly taken from the website): It has streamlined penetration testing by automating the Metasploit processes and adding additional modules. However, because it is extremely “hacker friendly” it has been stolen and adopted by organised cybercrime gangs and advanced persistent threat (APT) groups alike.ĬobaltStrike itself is an interesting tool that was built on top of and expands upon the Metasploit framework. It was designed as a full-scope engagement tool that is supposed to be used to improve security of organisations by identifying weaknesses. CobaltStrike is an advanced penetration testing framework and threat emulation software that was built by Red Teamers for Red Teamers, but is more than often used by our adversaries too.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |