By security practitioners, for security practitioners novacoast federal | Pillr | novacoast | about innovate
By security practitioners, for security practitioners

Defending Against Cobalt Strike-Based Malware In Your Environment

While the comprehensive attack framework Cobalt Strike has proven invaluable to legitimate red teams and pen test efforts over the years, it has also become a favorite tool of threat actors seeking to deploy malware and ransomeware.

In recent weeks, Microsoft and Google and have spearheaded efforts to mitigate the threat from malicious Cobalt Strike usage by providing resources to help block associated domains and hunt potential persistent infections. These include known Indicators of Compromise, file hashes, and associated domains.

It’s recommended that administrators and threat hunters utilize these free resources to build a better defense against Cobalt Strike-enabled threats.


What is Cobalt Strike?

Cobalt Strike is a commercial adversary simulation software package that consists of multiple components for deploying post-exploitation activity and long-term embedded resident malware on target systems:

  • Cobalt Strike is the command and control (C2) application itself. This has two primary components: the team server and the client.
  • BEACON is the default malware payload used to create a connection to the team server. Active callback sessions from a target are also called “beacons” and can include a Stager and/or a backdoor that runs in memory to assist in making persistent connections to the C2.

The framework is extremely customizable with additional packages that seemingly make malware and ransomware deployment terrifyingly simple.

While Cobalt Strike was developed specifically to facilitate legitimate red teaming operations, cracked versions are what have been weaponized by threat actors.

What Can I Do To Defend Against Cobalt Strike?

That fact that Cobalt Strike is a commonly used framework to develop malware should in theory it a little easier to detect and block. However, many common endpoint protection and EDR vendors still don’t have confirmed detections. These include Crowdstrike, Microsoft Defender, Malwarebytes, TrendMicro, and Symantec.

There are three main tactics you can utilize to implement a defense:

  • Utilize known detection data in your endpoint protection tooling

    Collect IoCs and any other available definitions to aid detection. Examples include: Google’s repository of YARA files (GCTI) that allow hex inspection, known files hashes, IP addresses, etc.
  • Block associated malicious domains

    Since Cobalt Strike utilizes a C2 architecture, it will rely on host domains to connect to its server for control and updates. By blocking these at the firewall or with a web proxy, it can severe or prevent the connection. Microsoft has launched a lawsuit to facilitate takedowns of illicit cracked versions of Cobalt Strike.
  • Hunt for known malicious files used by Cobalt Strike

    Many of the extended kits for Cobalt Strike are packaged into DLLs that may persist on an infected host’s file system.

Domains & IPs

Below is a table of known domains associated with malicious Cobalt Strike usage. Block them at the firewall or proxy level.

Cobalt Strike Domains
abilitytechservices[.]com
acroserver[.]com
allowedcloud[.]com
alwaysasusual[.]com
appdevtechnology[.]com
aspnetcenter[.]com
atechniques[.]com
avtoshopping[.]com
bodayif[.]com
devcloudpro[.]com
devoinnanote[.]com
devsecurityservices[.]com
didmutele[.]com
digitalenergetic[.]com
dsixonsat[.]com
duhegiv[.]com
edge-chrome[.]com
e-servicesolutions[.]com
expoglobalservice[.]com
fzupdate[.]com
gayusaden[.]com
gimsvalued[.]com
globaltechline[.]com
gosavusig[.]com
haoppay[.]com
hugerudo[.]com
imvcatool[.]com
industrialtechservices[.]com
jeffrastudio[.]com
jerunopi[.]com
jiwihiheda[.]com
jovuwidane[.]com
jquerymaingame[.]com
jquerysslx[.]com
kayevabunu[.]com
kbnexc[.]com
kkksex[.]com
kojifucevo[.]com
likobiz[.]com
lozusalar[.]com
miyomejosa[.]com
mocimaxom[.]com
morshalmatters[.]com
movavagob[.]com
myjqueryss[.]com
notfoundsound[.]com
nxsimdevelop[.]com
poasnm[.]com
potuniyaga[.]com
powersupportplan[.]com
putonira[.]com
quickconnect[.]cloud
raspoolne[.]com
ravomariri[.]com
rifovekina[.]com
serviceclv-firefox[.]com
servicemechanicalcont rols[.]com
sobosizi[.]com
sojejozol[.]com
svchosexec[.]com
techlineengineering[.]com
techsecurity365[.]com
tibenorote[.]com
tilojejeza[.]com
tisoyinum[.]com
tovemaduv[.]com
twitflicker[.]com
updatewininstace[.]com
vd-ntds[.]com
vibotuco[.]com
vnssinc[.]com
vrghosst[.]com
vsrssup[.]com
wacuvosa[.]com
windowspowerr[.]com
winsatoom[.]com
wipurefic[.]com
witakuc[.]com
xibajiyex[.]com
yezifiji[.]com
yoyiwevigo[.]com
zuvahijac[.]com
msc-mvc-updates[.]com
nocc[.]cc
i-am[.]cyou
ccb[.]fyi
vivio[.]icu
dyshangcheng[.]info
testnow[.]info
ilink[.]ink
linkkedin[.]life
domprocloud[.]live
networktest[.]live
microfront[.]lol
ndtv[.]ltd
hkdd[.]me
internetmediatech[.]net
voiceinfosys[.]net
xmwjw[.]net
opentechcorp[.]net
cloudforceget[.]online
databaseportaladmin[.]online
ssl443[.]org
virginiaservice[.]org
fixx[.]sbs
githportal[.]space
sf-express[.]store
dark777[.]xyz

For the full list of IP addresses and domains, download our XLSX file compiled by our threat hunting team.


Resources

Previous Post

FTC Safeguards Rule Changes 2023 | What You Need to Know

Next Post

AI Danger: Aligning Cyber and Policy Experts

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.