Over the past few years, Cobalt strike has become an industry standard for professional red teamers, state sponsored actors and cyber criminals alike. Cobalt Strike is defined as “a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.” Cobalt Strike has been leveraged by advanced persistent threat groups like APT19, APT29, APT32, FIN7 and Cobalt group to facilitate various campaign objectives. In order to try and keep this powerful tool out of the hands of malicious actors, Strategic Cyber LLC (creators of Cobalt Strike) impose export controls and monitors for illicit usage. Despite software licensing for Cobalt Strike being strictly controlled, adversaries crack trial versions of the software and disseminate them across various channels frequented by the criminal underworld. Some of these cracked versions are sold, and some are distributed for free, but a free version most likely means you are sharing your experience with someone else via a backdoor.
Fingerprinting Cobalt Strike Servers
Researchers at Fox IT and Recorded Futures started utilizing fingerprints unique to Cobalt Strike team servers to find adversary C2 infrastructures in the wild. June 18th, 2019, Recorded Futures published a report detailing the features they employed to fingerprint team servers and expounded on their effectiveness. The methods used to fingerprint Cobalt Strike servers were to look for default security certificates, to see if the DNS server would respond to any DNS request, port 50050 usage, a unique 404 response code and versions prior to 3.13, a null space in the HTTP response could be used to identify the team servers. This actually proved quite effective as many operators seemed to run on default configurations even after these security publications - “The continued identification of Cobalt Strike servers using an outdated version of the framework (via the null space in the HTTP header) and the default configurations may indicate that a large population of Cobalt Strike servers are cracked or stolen versions. It may also be an instance of operators not reading security publications, but the answer may be more simple than that — most targets are not likely searching for Cobalt Strike servers, and the payloads remain effective, so why change their behavior?” In response to these advancements in breaching adversary operational security, “Cobalt Strike operators were encouraged by Strategic Cyber LLC in their February study to make use of an Apache or Nginx web server as a “redirector” to proxy their traffic; this precludes simple detections of Cobalt Strike servers by removing the anomalous HTTP responses, default security certificates, and other such identifiers from the equation”. In closing thoughts, the report stated “Obstacles other than intentional tradecraft may prevent the patching of Cobalt Strike servers, including lack of knowledge of the update due to a language barrier, operational comfort with currently installed versions, or other modifications that prevent the installation of the update.” But, things are never so neat in reality..
Increased Cobalt Strike Momentum
Starting mid-summer of 2019, our intelligence sensors started ingesting significantly more material related to Cobalt Strike, emanating out of the Chinese security community. Our investigations led us to an actor presumed to be Chinese (Mrxn) that was creating and disseminating cracked versions of exploit software on his/her personal blog. One post in particular caught our eye which was entitled “CobaltStrike3.14破解 / English: CobaltStrike3.14 crack” and was published one day after Recorded Futures released their report mentioned above.
In the following blog post, we see actor Mrxn talking about the operational security problems related to cobalt strike versions pre 3.13, confessing to cracking and distributing a cracked version of Cobalt Strike 3.14, briefly explaining which files to alter to crack the software and providing links to cracked and trial versions of Cobalt Strike.
Our sensors continued to ingest material related to Cobalt Strike, this time they found aggregations of red team resources being translated into Chinese. These vast lists contained detailed information on a wealth of adversary topics, but it was the in-depth explanation on red team infrastructure that made us realize that a language barrier was actually no barrier at all. In a code repository entitled “RedTeam-BCS” we found a detailed explanation of Cobalt Strike infrastructure tactics. Under the heading “基础设施架构设计部署 - Infrastructure architecture design and deployment” we saw the detailed teachings of how a redirector server functions and how it is used operationally.
A key theory we based building our backend cyber intelligence tooling on was “tradecraft migration”. We define “tradecraft migration” as an adversary’s willingness to shift their TTPs (Tactics, Techniques and Procedures) to skirt innovation in cyber defenses, while expending the least amount of resources to do so. Actually, adversaries just need to employ a good cyber intelligence program to accomplish this, leveraging and building off innovation that is taking place within the security community already. We see security researcher content consistently shared and discussed on criminally controlled communication assets. The above scenario is an excellent representation of tradecraft migration for these reasons:
Our analysis indicates that more advanced forms of adversary infrastructure obfuscation such as leveraging redirectors, domain fronting or utilizing legitimate web services will become a standard in adversary tradecraft, if it’s not already. Defenders should not presume a language barrier is any kind of obstacle preventing adversaries from learning and deploying advanced infrastructure obfuscation tactics. As we indicated above, that is clearly not the case. Using tradecraft such as redirector servers to obscure Cobalt Strike infrastructure makes blue team detection strategies significantly less effective – especially when redirectors are paired with proper domain categorization and HTTPS. Knowing adversarial capabilities in near real-time is a powerful tool for defenders and must be utilized to come up with new, innovative detection methods for things like Cobalt Strike team servers.