Cobalt Strike Gaining Popularity Among Malicious Cybergroups
In a concerning development, a recent campaign involving the Osiris banking trojan and REvil, among others, has been spreading to companies in the U.S., Korea, and beyond. This campaign, targeting multiple industries, including manufacturing, has been marked by the increased use of Cobalt Strike, a threat emulation tool, by malicious actors and advanced persistent threat (APT) groups.
According to a report from Proofpoint, Cobalt Strike has become a favored weapon for these groups in significant cyber campaigns. The use of this tool, which can evade detection by EDR products, has proliferated among APT groups and criminal actors since its launch in 2012.
The campaign, which targeted multiple German manufacturing companies during mid-January to late January, is an example of this trend. Proofpoint researchers have observed the use of Cobalt Strike in the compromise of dozens of manufacturing companies, as well as in the SolarWinds supply chain hack, the compromise of SITA (an IT company working with hundreds of international airlines), and the Nobelium attacks disclosed by Microsoft.
Cobalt Strike gives attackers full control over the infected system and the ability to move laterally to other systems, harvest user credentials, execute code, and more. It can be used for various purposes, including reconnaissance, delivering ransomware payloads, and establishing beacons for command and control.
Interestingly, while the use of Cobalt Strike by known threat actors has decreased since 2019, according to Proofpoint researchers, it is now more commonly used by cybercrime and general commodity malware actors than APT and espionage threat actors. The well-known APT groups and major criminal actors using Cobalt Strike since 2019 include groups like APT29 (Cozy Bear), APT41, FIN7, and TA505.
Offensive security tools are not inherently evil, but the proliferation of Cobalt Strike among APT groups and criminal actors is worth reviewing, according to Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. As the use of Cobalt Strike continues to grow, it is essential to remain vigilant and take necessary measures to protect against such threats.
