In an effort to make Cobalt Strike harder for threat actors to use in their attacks, Google has released a set of open-source YARA Rules and their integration as a VirusTotal Collection, allowing automatic detection of this popular ransomware dropper.
Google Cloud: We were able to locate versions of the Cobalt Strike JAR file starting with version 1.44 (circa 2012) up to version 4.7 (the latest version at the time of publishing this blog). We cataloged the stagers, templates, and beacons, including the XOR encodings used by Cobalt Strike since version 1.44.
With the set of Cobalt Strike components available, we built YARA-based detection across these malicious variants in the wild with a high degree of accuracy. Each Cobalt Strike version contains approximately 10 to 100 attack template binaries. We found 34 different Cobalt Strike release versions with a total of 275 unique JAR files across these versions. All told, we estimated a minimum of 340 binaries that must be analyzed and have signatures written to detect them.
Matt Mullins, Senior Security Researcher, Cybrary shared his insights on the topic:
"GCIT's efforts to signature the variations of leaked/cracked versions of Cobalt Strike is a great start for the DFIR community. The rules provided specifically call out each version, the critical strings/naming conventions for the defaults of that version, as well as some of the critical aspects of assembly associated with those actions. This provides a very high fidelity detection of those versions associated, which are being widely spread and used by threat actors. This information takes a lot of the heavy lift away from internal teams that might not have the technical skillset or resources to triangulate onto the discernable bits effectively.
Considering that these threat actors typically target the softer targets, which as stated above might not have the resources or internal tribal knowledge to signature CS, these rules are going to impact the Return on Investment (or ROI) of criminal groups. With a less profitable avenue to be exploited on these medium to smaller businesses, some groups will have to shift tactics while others might fade away from prominence. This is great because simple operators will have a harder time getting into these networks with their "large net" exercises.
The flip side is that more advanced groups will easily bypass a good portion of these detections since they are publicly available. One of the harder aspects of running a good Red Team operation is to safely identify defensive capabilities and maneuver around them. With these detections available, not only can more advanced threat actors roll their evasions into their baseline, but they could also use these detections to mimic a less sophisticated actor in order to divert blame of who attacked a target.
The VirusTotal Collections function is going to be a welcome extension to VT's capability. This will more than likely provide a better "one stop shop" lens of what a particular APT does on a regular basis and also will allow individuals without an intelligence feed/team to explore what is currently going on in the wild. A net positive to a tool that already has provided a lot of good information to the DFIR community (as well as provided interesting intelligence and capabilities to the offensive community as well)."