Cobalt Strike Beacon

Malware updated 7 hours ago (2024-11-21T10:31:51.762Z)

Download STIX

Preview STIX

Cobalt Strike Beacon is a type of malware, a harmful software designed to exploit and damage computer systems. It is often loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an encrypted file vm.cfg. The Insikt Group has identified six distinct Cobalt Strike Beacon samples linked to TAG-112, with their C2 communication directed towards mail.maskrisks.com. In some cases, the malware has been seen to use steganography to hide in images, thus evading detection. This malware has been linked to ransomware activity, causing significant disruption and data theft. The typical attack routine involves gaining initial access via exploitation of Microsoft Exchange servers to implant a web shell that allows the delivery of the Cobalt Strike Beacon. This malware has shown activity on multiple systems and, on one occasion, made outbound connections to its command and control (C2) infrastructure using msedge.exe. Furthermore, threat actors like Storm-0569 and UNC2628 have used it in conjunction with other malicious tools such as BATLOADER, Rclone data exfiltration tools, Black Basta ransomware, and PowerShell scripts for lateral movement within networks and data exfiltration. To combat this threat, security solutions like Advanced WildFire, Cortex XDR, and Prisma Cloud can identify and block Cobalt Strike Beacon binaries, reporting related exploitation attempts. These tools have proven effective in mitigating threats posed by the Cobalt Strike Beacon. For instance, last year, Ukraine's Computer Emergency Response Team reported on threat actor UAC-0057 using an XLS file with an embedded macro and a lure image to deploy Cobalt Strike Beacon and PicassoLoader malware on victim systems in Ukraine, highlighting the global threat posed by this malware.

Description last updated: 2024-11-21T10:29:23.514Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Payload

Ransomware

Malware

Implant

Exploit

Loader

Backdoor

Beacon

Reconnaissance

Downloader

Lateral Move...

Tool

Phishing

Shellcode

Decoy

Windows

Cuba

Microsoft

PowerShell

Ukraine

Dropper

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Batloader Malware is associated with Cobalt Strike Beacon. Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal	Unspecified	4
The python310.dll Malware is associated with Cobalt Strike Beacon. Python310.dll is a malicious software (malware) that infiltrates systems by installing a trojanized version of itself and establishing persistence through a run key named "Python". This is achieved by manipulating the value to be "C:\Users\Public\Music\python\pythonw.exe". The malware can enter your	Unspecified	2
The Truebot Malware is associated with Cobalt Strike Beacon. Truebot is a malicious software (malware) utilized by the CL0P actors, designed to exploit and damage computer systems. This malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Truebot serves multiple purposes: it can dow	Unspecified	2
The Conti Malware is associated with Cobalt Strike Beacon. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra	Unspecified	2
The pythonw.exe Malware is associated with Cobalt Strike Beacon. Pythonw.exe, a malware that exploits and damages your computer or device, has been identified to execute malicious code on Windows systems. This harmful program infiltrates your system through suspicious downloads, emails, or websites without your knowledge, with the potential to steal personal info	Unspecified	2
The Meterpreter Malware is associated with Cobalt Strike Beacon. Meterpreter is a type of malware that acts as an attack payload within the Metasploit framework, providing threat actors with an interactive shell to control and execute code on a compromised system. The malware is often deployed covertly through suspicious downloads, emails, or websites. Once insta	Unspecified	2
The Carbanak Malware is associated with Cobalt Strike Beacon. Carbanak is a notorious malware developed by the cybercrime collective known as FIN7, also referred to as Carbon Spider, Cobalt Group, and Navigator Group. The group, which has been active since 2012, is of Russian origin and has been particularly focused on exploiting the restaurant, gambling, and	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Lace Tempest Threat Actor is associated with Cobalt Strike Beacon. Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. Thi	Unspecified	3
The FIN7 Threat Actor is associated with Cobalt Strike Beacon. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global	Unspecified	2

Source Document References

Information about the Cobalt Strike Beacon Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Recorded Future	6 days ago	China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike
Trend Micro	13 days ago	Breaking Down Earth Estries Persistent TTPs in Prolonged Cyber Operations
Unit42	20 days ago	TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit
CISA	a month ago	Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations \| CISA
DARKReading	4 months ago	China's APT41 Targets Taiwan Research Institute for Cyber Espionage
CERT-EU	a year ago	Microsoft Disables App Installer Feature Amid Security Concerns
MITRE	2 years ago	Shining a Light on DARKSIDE Ransomware Operations \| Blog \| Mandiant
Unit42	5 months ago	Attackers Exploiting Public Cobalt Strike Profiles
DARKReading	6 months ago	Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
InfoSecurity-magazine	6 months ago	New Multi-Stage Malware Targets Windows Users in Ukraine
Fortinet	6 months ago	Menace Unleashed: Excel File Deploys Cobalt Strike at Ukraine \| Fortinet Blog
Checkpoint	6 months ago	27th May – Threat Intelligence Report - Check Point Research
Checkpoint	6 months ago	Sharp Dragon Expands Towards Africa and The Caribbean - Check Point Research
DARKReading	6 months ago	Windows Quick Assist Anchors Black Basta Ransomware Gambit
Trend Micro	2 years ago	Rapture, a Ransomware Family With Similarities to Paradise
Securityaffairs	7 months ago	Targeted operation against Ukraine exploited 7-year-old MS Office bug
DARKReading	7 months ago	Military Tank Manual, 2017 Zero-Day Anchor Latest Ukraine Cyberattack
SANS ISC	8 months ago	1768.py's Experimental Mode - SANS Internet Storm Center
SANS ISC	8 months ago	Obfuscated Hexadecimal Payload - SANS Internet Storm Center
Trend Micro	9 months ago	Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities