#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter
CrowdSec

Cobalt Strike | Breaking Cybersecurity News | The Hacker News

Hackers Using Golang Variant of Cobalt Strike to Target Apple macOS Systems

Hackers Using Golang Variant of Cobalt Strike to Target Apple macOS Systems

May 16, 2023 Endpoint Security / Cyber Threat
A Golang implementation of Cobalt Strike called Geacon is likely to garner the attention of threat actors looking to target Apple macOS systems. That's according to findings from SentinelOne, which observed an increase in the number of Geacon payloads appearing on VirusTotal in recent months. "While some of these are likely red-team operations, others bear the characteristics of genuine malicious attacks," security researchers Phil Stokes and Dinesh Devadoss  said  in a report. Cobalt Strike  is a well-known red teaming and adversary simulation tool developed by Fortra. Owing to its myriad capabilities, illegally cracked versions of the software have been abused by threat actors over the years. While post-exploitation activity associated with Cobalt Strike has primarily singled out Windows, such attacks against macOS are something of a rarity. In May 2022, software supply chain firm Sonatype  disclosed  details of a rogue Python package called " pymafka "
New Ransomware Strain 'CACTUS' Exploits VPN Flaws to Infiltrate Networks

New Ransomware Strain 'CACTUS' Exploits VPN Flaws to Infiltrate Networks

May 09, 2023 Endpoint Security / Ransomware
Cybersecurity researchers have shed light on a new ransomware strain called CACTUS that has been found to leverage known flaws in VPN appliances to obtain initial access to targeted networks. "Once inside the network, CACTUS actors attempt to enumerate local and network user accounts in addition to reachable endpoints before creating new user accounts and leveraging custom scripts to automate the deployment and detonation of the ransomware encryptor via scheduled tasks," Kroll said in a report shared with The Hacker News. The ransomware has been observed targeting large commercial entities since March 2023, with attacks employing double extortion tactics to steal sensitive data prior to encryption. No data leak site has been identified to date. Following a successful exploitation of vulnerable VPN devices, an SSH backdoor is set up to maintain persistent access and a series of PowerShell commands are executed to conduct network scanning and identify a list of machines fo
cyber security

external linkSay Goodbye to SaaS Blind Spots: Wing Security Unveils Free Discovery Tool

websitewww.wing.securitySaaS Security / Attack Surface
Wing Security finds and ranks all SaaS applications completely for free, removing unnecessary risk.
Fortra Sheds Light on GoAnywhere MFT Zero-Day Exploit Used in Ransomware Attacks

Fortra Sheds Light on GoAnywhere MFT Zero-Day Exploit Used in Ransomware Attacks

Apr 20, 2023 Ransomware / Cyber Attack
Fortra, the company behind Cobalt Strike, shed light on a zero-day remote code execution (RCE) vulnerability in its GoAnywhere MFT tool that has come under  active   exploitation  by ransomware actors to steal sensitive data. The high-severity flaw, tracked as  CVE-2023-0669  (CVSS score: 7.2), concerns a case of pre-authenticated command injection that could be abused to achieve code execution. The issue was patched by the company in version 7.1.2 of the software in February 2023, but not before it was weaponized as a zero-day since January 18. Fortra, which worked with Palo Alto Networks Unit 42, said it was made aware of suspicious activity associated with some of the file transfer instances on January 30, 2023. "The unauthorized party used CVE-2023-0669 to create unauthorized user accounts in some MFTaaS customer environments," the company  said . "For a subset of these customers, the unauthorized party leveraged these user accounts to download files from their h
Microsoft Takes Legal Action to Disrupt Cybercriminals' Illegal Use of Cobalt Strike Tool

Microsoft Takes Legal Action to Disrupt Cybercriminals' Illegal Use of Cobalt Strike Tool

Apr 07, 2023
Microsoft said it teamed up with Fortra and Health Information Sharing and Analysis Center (Health-ISAC) to tackle the abuse of Cobalt Strike by cybercriminals to distribute malware, including ransomware. To that end, the tech giant's Digital Crimes Unit (DCU) revealed that it secured a  court order  in the U.S. to "remove illegal, legacy copies of Cobalt Strike so they can no longer be used by cybercriminals." While Cobalt Strike, developed and maintained by Fortra (formerly HelpSystems), is a legitimate post-exploitation tool used for adversary simulation, illegal cracked versions of the software have been weaponized by threat actors over the years. Ransomware groups, in particular, have leveraged Cobalt Strike after obtaining initial access to a target environment to escalate privileges, lateral move across the network, and deploy file-encrypting malware. "The ransomware families associated with or deployed by cracked copies of Cobalt Strike have been link
Chinese and Russian Hackers Using SILKLOADER Malware to Evade Detection

Chinese and Russian Hackers Using SILKLOADER Malware to Evade Detection

Mar 16, 2023 Cyber Threat Intelligence
Threat activity clusters affiliated with the Chinese and Russian cybercriminal ecosystems have been observed using a new piece of malware that's designed to load Cobalt Strike onto infected machines. Dubbed  SILKLOADER  by Finnish cybersecurity company WithSecure, the malware leverages  DLL side-loading techniques  to deliver the commercial adversary simulation software. The development comes as  improved detection capabilities  against Cobalt Strike, a legitimate post-exploitation tool used for red team operations, is forcing threat actors to  seek alternative options  or concoct new ways to propagate the framework to evade detection. "The most common of these include adding complexity to the auto-generated beacon or stager payloads via the utilization of packers, crypters, loaders, or similar techniques," WithSecure researchers  said . SILKLOADER joins other loaders such as KoboldLoader, MagnetLoader, and LithiumLoader that have been  recently discovered  incorpora
Threat Actors Adopt Havoc Framework for Post-Exploitation in Targeted Attacks

Threat Actors Adopt Havoc Framework for Post-Exploitation in Targeted Attacks

Feb 22, 2023 Exploitation Framework / Cyber Threat
An open source command-and-control (C2) framework known as Havoc is being adopted by threat actors as an alternative to other well-known legitimate toolkits like  Cobalt Strike ,  Sliver , and  Brute Ratel . Cybersecurity firm Zscaler said it observed a new campaign in the beginning of January 2023 targeting an unnamed government organization that utilized  Havoc . "While C2 frameworks are prolific, the open-source Havoc framework is an advanced post-exploitation command-and-control framework capable of bypassing the most current and updated version of Windows 11 defender due to the implementation of advanced evasion techniques such as indirect syscalls and sleep obfuscation," researchers Niraj Shivtarkar and Shatak Jain  said . The attack sequence documented by Zscaler begins with a ZIP archive that embeds a decoy document and a screen-saver file that's designed to download and launch the Havoc Demon agent on the infected host. Demon is the implant generated via th
Gootkit Malware Adopts New Tactics to Attack Healthcare and Finance Firms

Gootkit Malware Adopts New Tactics to Attack Healthcare and Finance Firms

Feb 09, 2023 Threat Intelligence / Malware
The Gootkit malware is prominently going after healthcare and finance organizations in the U.S., U.K., and Australia, according to new findings from Cybereason. The cybersecurity firm said it investigated a Gootkit incident in December 2022 that adopted a new method of deployment, with the actors abusing the foothold to deliver  Cobalt Strike  and  SystemBC  for post-exploitation. "The threat actor displayed fast-moving behaviors, quickly heading to control the network it infected, and getting elevated privileges in less than four hours," Cybereason  said  in an analysis published February 8, 2023. Gootkit, also called Gootloader, is exclusively attributed to a threat actor tracked by Mandiant as UNC2565. Starting its life in 2014 as a banking trojan, the malware has since morphed into a loader capable of delivering next-stage payloads. The shift in tactics was  first uncovered  by Sophos in March 2021. Gootloader takes the form of heavily-obfuscated JavaScript files th
Gootkit Malware Continues to Evolve with New Components and Obfuscations

Gootkit Malware Continues to Evolve with New Components and Obfuscations

Jan 29, 2023 Cyber Threat / Malware
The threat actors associated with the Gootkit malware have made "notable changes" to their toolset, adding new components and obfuscations to their infection chains. Google-owned Mandiant is  monitoring  the activity cluster under the moniker  UNC2565 , noting that the usage of the malware is "exclusive to this group." Gootkit , also called Gootloader, is spread through compromised websites that victims are tricked into visiting when searching for business-related documents like agreements and contracts via a technique called search engine optimization (SEO) poisoning. The purported documents take the form of ZIP archives that harbor the JavaScript malware, which, when launched, paves the way for additional payloads such as  Cobalt Strike Beacon , FONELAUNCH, and SNOWCONE. FONELAUNCH is a .NET-based loader designed to load an encoded payload into memory, whereas SNOWCONE is a downloader that's tasked with retrieving next-stage payloads, typically  IcedID ,
Threat Actors Turn to Sliver as Open Source Alternative to Popular C2 Frameworks

Threat Actors Turn to Sliver as Open Source Alternative to Popular C2 Frameworks

Jan 23, 2023 Threat Detection / Infosec
The legitimate command-and-control (C2) framework known as Sliver is  gaining   more traction  from threat actors as it emerges as an open source alternative to  Cobalt Strike  and Metasploit. The findings come from Cybereason, which  detailed  its inner workings in an exhaustive analysis last week. Sliver, developed by cybersecurity company BishopFox, is a Golang-based cross-platform post-exploitation framework that's designed to be used by security professionals in their red team operations. Its myriad features for adversary simulation – including dynamic code generation, in-memory payload execution, and process injection – have also made it an appealing tool for threat actors looking to gain elevated access to the target system upon gaining an initial foothold. In other words, the software is used as a second-stage to conduct next steps of the attack chain after already compromising a machine using one of the initial intrusion vectors such as spear-phishing or exploitatio
Nighthawk Likely to Become Hackers' New Post-Exploitation Tool After Cobalt Strike

Nighthawk Likely to Become Hackers' New Post-Exploitation Tool After Cobalt Strike

Nov 23, 2022
A nascent and legitimate penetration testing framework known as Nighthawk is likely to gain threat actors' attention for its Cobalt Strike-like capabilities. Enterprise security firm Proofpoint said it detected the use of the software in mid-September 2022 by a red team with a number of test emails sent using generic subject lines such as "Just checking in" and "Hope this works2." However, there are no indications that a leaked or cracked version of Nighthawk is being weaponized by threat actors in the wild, Proofpoint researcher Alexander Rausch  said  in a write-up. Nighthawk, launched in December 2021 by a company called MDSec, is analogous to its counterparts  Cobalt Strike ,  Sliver , and  Brute Ratel , offering a red team toolset for adversary threat simulation. It's licensed for £7,500 (or $10,000) per user for a year. "Nighthawk is the most advanced and evasive command-and-control framework available on the market," MDSec  notes . &qu
Google Identifies 34 Cracked Versions of Popular Cobalt Strike Hacking Toolkit in the Wild

Google Identifies 34 Cracked Versions of Popular Cobalt Strike Hacking Toolkit in the Wild

Nov 21, 2022
Google Cloud last week disclosed that it identified 34 different hacked release versions of the Cobalt Strike tool in the wild, the earliest of which  shipped  in November 2012. The versions, spanning 1.44 to 4.7, add up to a total of 275 unique JAR files, according to findings from the Google Cloud Threat Intelligence (GCTI) team. The  latest version  of Cobalt Strike is version 4.7.2. Cobalt Strike, developed by  Fortra  (née HelpSystems), is a popular adversarial framework used by red teams to simulate attack scenarios and test the resilience of their cyber defenses. It comprises a Team Server that acts as the command-and-control (C2) hub to remotely commandeer infected devices and a stager that's designed to deliver a next-stage payload called the Beacon, a fully-featured implant that reports back to the C2 server. Given its wide-ranging suite of features, unauthorized versions of the software have been  increasingly   weaponized  by  many  a  threat   actor  to  advance
Critical RCE Vulnerability Discovered in Popular Cobalt Strike Hacking Software

Critical RCE Vulnerability Discovered in Popular Cobalt Strike Hacking Software

Oct 18, 2022
HelpSystems, the company behind the Cobalt Strike software platform, has released an out-of-band security update to address a remote code execution vulnerability that could allow an attacker to take control of targeted systems. Cobalt Strike is a commercial red-team framework that's mainly used for adversary simulation, but cracked versions of the software have been  actively   abused  by ransomware operators and espionage-focused advanced persistent threat (APT) groups alike. The  post-exploitation tool  consists of a team server, which functions as a command-and-control (C2) component, and a beacon, the default malware used to create a connection to the team server and drop next-stage payloads. The issue, tracked as  CVE-2022-42948 , affects Cobalt Strike version 4.7.1, and stems from an incomplete patch released on September 20, 2022, to rectify a cross-site scripting ( XSS ) vulnerability ( CVE-2022-39197 ) that could lead to remote code execution. "The XSS vulnerabi
Black Basta Ransomware Hackers Infiltrate Networks via Qakbot to Deploy Brute Ratel C4

Black Basta Ransomware Hackers Infiltrate Networks via Qakbot to Deploy Brute Ratel C4

Oct 17, 2022
The threat actors behind the  Black Basta   ransomware family  have been observed using the Qakbot trojan to deploy the Brute Ratel C4 framework as a second-stage payload in recent attacks. The development marks the first time the  nascent adversary simulation software  is being delivered via a Qakbot infection, cybersecurity firm Trend Micro  said  in a technical analysis released last week. The intrusion, achieved using a phishing email containing a weaponized link pointing to a ZIP archive, further entailed the use of Cobalt Strike for lateral movement. While these legitimate utilities are designed for conducting penetration testing activities, their ability to offer remote access has made them a lucrative tool in the hands of attackers looking to stealthily probe the compromised environment without attracting attention for extended periods of time. This has been compounded by the fact that a  cracked version  of Brute Ratel C4 (BRc4 v1.2.2) began circulating last month across
New Malware Campaign Targeting Job Seekers with Cobalt Strike Beacons

New Malware Campaign Targeting Job Seekers with Cobalt Strike Beacons

Sep 30, 2022
A social engineering campaign leveraging job-themed lures is weaponizing a years-old remote code execution flaw in Microsoft Office to deploy Cobalt Strike beacons on compromised hosts. "The payload discovered is a leaked version of a Cobalt Strike beacon," Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer  said  in a new analysis published Wednesday. "The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic." The malicious activity, discovered in August 2022, attempts to exploit the vulnerability  CVE-2017-0199 , a remote code execution issue in Microsoft Office, that allows an attacker to take control of an affected system. The entry vector for the attack is a phishing email containing a Microsoft Word attachment that employs job-themed lures for roles in the U.S. government and Publ
Cybercrime Groups Increasingly Adopting Sliver Command-and-Control Framework

Cybercrime Groups Increasingly Adopting Sliver Command-and-Control Framework

Aug 26, 2022
Nation-state threat actors are  increasingly adopting  and integrating the Sliver command-and-control (C2) framework in their intrusion campaigns as a replacement for Cobalt Strike. "Given Cobalt Strike's popularity as an attack tool, defenses against it have also improved over time," Microsoft security experts  said . "Sliver thus presents an attractive alternative for actors looking for a lesser-known toolset with a low barrier for entry." Sliver, first made public in late 2019 by cybersecurity company BishopFox, is a Go-based  open source C2 platform  that supports user-developed extensions, custom implant generation, and other commandeering options. "A C2 framework usually includes a server that accepts connections from implants on a compromised system, and a client application that allows the C2 operators to interact with the implants and launch malicious commands," Microsoft said. Besides facilitating long-term access to infected hosts, the cross-platform kit is also known
Researchers Detail Evasive DarkTortilla Crypter Used to Deliver Malware

Researchers Detail Evasive DarkTortilla Crypter Used to Deliver Malware

Aug 18, 2022
A .NET-based evasive crypter named  DarkTortilla  has been used by threat actors to distribute a broad array of commodity malware as well as targeted payloads like Cobalt Strike and Metasploit, likely  since 2015 . "It can also deliver 'add-on packages' such as additional malicious payloads, benign decoy documents, and executables," cybersecurity firm Secureworks  said  in a Wednesday report. "It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging." Malware delivered by the crypter includes information steakers and remote access trojans (RATs) such as Agent Tesla, AsyncRat, NanoCore, and RedLine Stealer. "DarkTortilla has versatility that similar malware does not," the researchers noted. Crypters are  software tools  that use a  combination  of encryption, obfuscation, and code manipulation of malware so as to  bypass detection  by security solutions. The delivery of DarkTortil
Chinese Hackers Using New Manjusaka Hacking Framework Similar to Cobalt Strike

Chinese Hackers Using New Manjusaka Hacking Framework Similar to Cobalt Strike

Aug 02, 2022
Researchers have disclosed a new offensive framework referred to as Manjusaka that they call is a "Chinese sibling of Sliver and Cobalt Strike." "A fully functional version of the command-and-control (C2), written in Golang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors," Cisco Talos  said  in a new report. Sliver  and  Cobalt Strike  are legitimate adversary emulation frameworks that have been repurposed by threat actors to carry out post-exploitation activities such as network reconnaissance, lateral movement, and facilitating the deployment of follow-on payloads. Written in Rust, Manjusaka -- meaning "cow flower" -- is advertised as an equivalent to the Cobalt Strike framework with capabilities to target both Windows and Linux operating systems. Its developer is believed to be located
Cybersecurity Resources