Attackers Leveraging Public Cobalt Strike Profiles to Evade Detection

In a recent report, Unit 42 researchers have revealed a concerning trend: threat actors are increasingly exploiting publicly available Cobalt Strike profiles to mask their malicious activities and bypass security measures. Cobalt Strike, a legitimate penetration testing tool, has been weaponized by attackers who utilize cracked versions to infiltrate networks and deploy malware.

Cobalt Strike is a legitimate commercial tool used by security professionals, such as red teams, to simulate cyberattacks and test defenses. However, its potent capabilities have also made it a favorite among malicious actors who utilize cracked versions to carry out real-world attacks. Central to its effectiveness is the Beacon post-exploitation payload, which employs Malleable C2 profiles to obfuscate its traffic, making it difficult for traditional security tools to detect.

Unit 42 researchers have developed advanced techniques to identify Cobalt Strike servers on the internet. Their recent analysis, triggered by Palo Alto Networks’ Advanced Threat Protection (ATP) solution, uncovered a series of malicious Cobalt Strike samples using Malleable C2 configurations. These profiles were not created from scratch; instead, they were derived from publicly available examples hosted on a popular code repository.

Sample Analysis

1. First Sample: The initial Beacon sample discovered by Unit 42 leveraged a Malleable C2 profile named ocsp.profile. This profile, while benign in its original form, was copied and altered by attackers for malicious purposes. By using Didier Stevens’ Python script, researchers extracted detailed network information from the Beacon, revealing how attackers modified the profile to suit their needs.
2. Second Sample: Similar to the first, the second Beacon sample also borrowed from the ocsp.profile. Attackers made slight modifications to the profile, changing URI paths and the User-Agent string to further evade detection. The network traffic generated by this sample was meticulously analyzed, showing how attackers can tweak profiles to maintain their malicious footholds.
3. Third Sample: The third sample presented a more complex scenario. This Beacon sample was a stageless 64-bit Windows executable file, again using the ocsp.profile as its base. Notably, the C2 server’s domain mimicked a well-known multinational technology company’s domain, adding another layer of obfuscation.

Unit 42 advocates for the adoption of machine learning-based security solutions like ATP. These advanced platforms can analyze vast amounts of data and detect anomalies that traditional heuristic methods might miss. By leveraging machine learning, organizations can better defend against the highly evasive tactics used by attackers leveraging Cobalt Strike.