MENU

Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
ANTI-CYBERCRIME GROUP
Camp BGen Rafael T Crame, Quezon City
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

ACG-CYBER SECURITY BULLETIN NR 272: UNDERSTANDING THE RISK OF COBAL STRIKE AS MALWARE

Reference Number ACG-CSB 110722272

         The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY 

   Cobalt Strike is a legitimate, commercially available tool used by penetration testers to perform adversary simulations and red team operations but unfortunately, this tool was stolen and actively used by a wide range of threat actors from ransomware operators to espionage-focused Advanced Persistent Threats (APTs). It gives security testers access to a large variety of attack capabilities. Cobalt Strike can be used to conduct spear-phishing and gain unauthorized access to systems, and can emulate a variety of malware and other advanced threat tactics.

   Cobalt Strike allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, Socket Secure (SOCKS) proxying, privilege escalation, port scanning and lateral movement. Beacon is in-memory/file-less, consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained.

   The software has also become a favorite tool of cybercriminals as an easy and cost-effective way to remotely access and manage infected systems. Employing Cobalt Strike beacons in the attacks' infection chain allows the attackers to blend their malicious traffic with legitimate traffic and evade network detections. The attack also uses one of two different fileless scripts to obtain the payload, either an embedded Visual Basic script in the file or a downloaded Visual Basic script obtained at the time of exploitation.

   Some of the other features of Cobalt Strike include the ability to steal passwords, take screenshots, record keystrokes, add the victim's computer to a botnet, and many more. Cobalt Strike is also being used by cybercriminals and APT actors to commit fraud and to steal money from bank accounts

   The availability of unauthorized Cobalt Strike versions on the dark web means that threat actors can abuse it. Network defenders must attempt to answer the "friend or foe" question when they detect Cobalt Strike in their environment, as the tool can be used for both legitimate and malicious purposes.

   Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker's attempts in the earlier stage of the attack's infection chain.

Cobalt Strike is one of the most advanced and versatile adversary emulation frameworks on the market today and continues to be the first choice for adversaries for the foreseeable future. Organizations must take great care and implement a defense in depth strategy to address both the technological and human aspects to prevent their organization from becoming victims of adversaries who are looking for their next ransomware victim.

RECOMMENDATION

   All PNP personnel as well as the public are advised to follow these tips to understand the risk of Cobalt Strike as malware:

• Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans;
• Disable auto-play to prevent automatic launching of executable files;
• Do not open attachments in unsolicited messages;
• Regularly back-up your data;
• Block pop-up windows, as it may help prevent malicious software from being downloaded to a computer; and
• Consider disabling JavaScript, Java, and ActiveX controls when not being used. Activate these features when necessary.
For additional information, please refer to the following websites:
• https://www.mandiant.com/resources/blog/defining-cobalt-strike-components
• https://thehackernews.com/2022/09/new-malware-campaign-targeting-job.html
• https://success.trendmicro.com/dcx/s/solution/1122912-nanocore-malware-information

POINT OF CONTACT

   Please contact PMAJ JUN-JUN S DAGURO, Police Community Relations Officer thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 723-0401 local 7483 for any inquiries related to this CYBER SECURITY BULLETIN.