Palo Alto’s threat intelligence division is warning potential targets that they must adopt multiple defenses to withstand a cyberattack that uses the malware, in its latest study of Cobalt Strike instances in the wild.
Unit 42 used digital probing and fingerprinting technology to track Cobalt Strike, which it has been monitoring for months.
“A single modern network security appliance is not sufficient to provide comprehensive coverage against complex malicious tools such as Cobalt Strike,” it said.
“Only a combination of security solutions including firewalls, sandboxes, endpoint agents and cloud-based machine learning can integrate the required data to prevent advanced adversaries from mounting successful cyberattacks from end to end.”
Unit 42 analyzed open-source threat intelligence feeds, including ZoomEye, Shodan, and Censys, to reach its conclusion, collecting IP addresses and deploying 32-bit stager probes to test for positive indicators of Cobalt Strike.
Investigators posed as criminal clients of Cobalt Strike’s nerve center, the CS Team Server, which accepts requests from other cybercriminals in need of its illegal services.
“We began experimenting with forging requests to suspected malicious Team Servers on the internet,” said Unit 42. “Through our analysis of attacker-controlled server responses, we developed a variety of techniques to classify previously undetected Cobalt Strike Team Servers before an attack can occur.”
The CS Team Server uses a Linux program to run an HTTP server designed to respond to requests in the same coding. When a client approaches Cobalt Strike in this manner, they are typically sent a 32-bit binary payload to use in cyberattacks. To get the more powerful 64-bit payload, a user must send an HTTP “get” request.
It is not clear from Unit 42’s research how much the cybercriminals behind Cobalt Strike charge for these differing services.
More from Cybernews:
Subscribe to our newsletter