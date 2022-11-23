



Google has released a set of open source YARA rules to help organizations better detect malicious instances of the red team tool Cobalt Strike.

Cobalt Strike is used in red team exercises to represent theoretical threats, but the practical capabilities of this tool allow attackers to launch cracked versions of Cobalt Strike into lateral trajectories in a victim’s environment. Can now be repurposed into a weapon to gain movement. Cobalt Strike is marketed and developed by Fortra, a vendor recently renamed from HelpSystems.

In a blog post last Thursday, Google announced the release of an open source set of YARA rules as a way to help the community flag and identify components of Cobalt Strike and their respective versions. This is a common means of classifying and identifying malware samples.” The rule and its integration started as the VirusTotal collection.

“Many threat actors rely on cracked versions of Cobalt Strike to carry out cyberattacks, and we hope that disrupting their use will help protect organizations, employees, and customers around the world. ,” writes Greg Sinclair of Google Cloud Threat Intelligence security. engineer.

According to Sinclair, Google took a “surgical approach” when developing the YARA rules to ensure that legitimate versions of the tool were not mistakenly flagged by organizations using the rules. Because of this, only older versions of Cobalt Strike components may be flagged. Google’s ruleset contains 165 signatures of his 34 cracked or malicious versions of Cobalt Strike.

“Leaked and cracked versions of Cobalt Strike are usually at least one release version behind the latest version of Fortra,” wrote Sinclair. “We focused on these versions by creating hundreds of unique signatures that we consolidated as a collection of community signatures available on VirusTotal. We have released it as open source to cybersecurity vendors interested in deploying it.”

Sinclair noted that Fortra uses a unique vetting process that “attempts to minimize the likelihood” of threat actors using it, but it is still routinely leaked and cracked. . The purpose of Google’s rules is to limit the damage these older versions can cause.

Cobalt Strike has been abused by ransomware gangs and other attackers for various cyberattacks. Recently, Cisco Talos researchers observed a phishing campaign using a leaked version of penetration testing software.

A Google spokesperson told TechTarget Editorial that the company worked with Fortra on the project.

In a statement to TechTarget Editorial, Fortra said it takes the security of its products very seriously and that its own team is actively looking for cracked copies of Cobalt Strike. “We welcome efforts by industry partners such as Google to help us track malicious actors using older pirated versions of our software,” the company said. “A recent Google podcast announcing the YARA Rules praised our efforts to harden our products and limit malicious use.”

Alexander Culafi is a Boston-based writer, journalist, and podcaster.

