Cobalt Strike Beacon

Malware updated 23 days ago (2024-11-29T14:37:54.571Z)
Download STIX
Preview STIX
Cobalt Strike Beacon is a type of malware, a harmful software designed to exploit and damage computer systems. It is often loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an encrypted file vm.cfg. The Insikt Group has identified six distinct Cobalt Strike Beacon samples linked to TAG-112, with their C2 communication directed towards mail.maskrisks.com. In some cases, the malware has been seen to use steganography to hide in images, thus evading detection. This malware has been linked to ransomware activity, causing significant disruption and data theft. The typical attack routine involves gaining initial access via exploitation of Microsoft Exchange servers to implant a web shell that allows the delivery of the Cobalt Strike Beacon. This malware has shown activity on multiple systems and, on one occasion, made outbound connections to its command and control (C2) infrastructure using msedge.exe. Furthermore, threat actors like Storm-0569 and UNC2628 have used it in conjunction with other malicious tools such as BATLOADER, Rclone data exfiltration tools, Black Basta ransomware, and PowerShell scripts for lateral movement within networks and data exfiltration. To combat this threat, security solutions like Advanced WildFire, Cortex XDR, and Prisma Cloud can identify and block Cobalt Strike Beacon binaries, reporting related exploitation attempts. These tools have proven effective in mitigating threats posed by the Cobalt Strike Beacon. For instance, last year, Ukraine's Computer Emergency Response Team reported on threat actor UAC-0057 using an XLS file with an embedded macro and a lure image to deploy Cobalt Strike Beacon and PicassoLoader malware on victim systems in Ukraine, highlighting the global threat posed by this malware.
Description last updated: 2024-11-21T10:29:23.514Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Payload
Ransomware
Malware
Implant
Exploit
Loader
Backdoor
Beacon
Reconnaissance
Downloader
Lateral Move...
Tool
Phishing
Shellcode
Decoy
Windows
Cuba
Microsoft
PowerShell
Ukraine
Dropper
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Batloader Malware is associated with Cobalt Strike Beacon. Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personalUnspecified
4
The python310.dll Malware is associated with Cobalt Strike Beacon. Python310.dll is a malicious software (malware) that infiltrates systems by installing a trojanized version of itself and establishing persistence through a run key named "Python". This is achieved by manipulating the value to be "C:\Users\Public\Music\python\pythonw.exe". The malware can enter yourUnspecified
2
The Truebot Malware is associated with Cobalt Strike Beacon. Truebot is a malicious software (malware) utilized by the CL0P actors, designed to exploit and damage computer systems. This malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Truebot serves multiple purposes: it can dowUnspecified
2
The Conti Malware is associated with Cobalt Strike Beacon. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personaUnspecified
2
The pythonw.exe Malware is associated with Cobalt Strike Beacon. Pythonw.exe, a malware that exploits and damages your computer or device, has been identified to execute malicious code on Windows systems. This harmful program infiltrates your system through suspicious downloads, emails, or websites without your knowledge, with the potential to steal personal infoUnspecified
2
The Meterpreter Malware is associated with Cobalt Strike Beacon. Meterpreter is a type of malware that acts as an attack payload within the Metasploit framework, providing threat actors with an interactive shell to control and execute code on a compromised system. The malware is often deployed covertly through suspicious downloads, emails, or websites. Once instaUnspecified
2
The Carbanak Malware is associated with Cobalt Strike Beacon. Carbanak is a notorious malware developed by the cybercrime collective known as FIN7, also referred to as Carbon Spider, Cobalt Group, and Navigator Group. The group, which has been active since 2012, is of Russian origin and has been particularly focused on exploiting the restaurant, gambling, and Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lace Tempest Threat Actor is associated with Cobalt Strike Beacon. Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. ThiUnspecified
3
The FIN7 Threat Actor is associated with Cobalt Strike Beacon. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global Unspecified
2
Source Document References
Information about the Cobalt Strike Beacon Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Recorded Future
a month ago
Trend Micro
a month ago
Unit42
2 months ago
CISA
2 months ago
DARKReading
5 months ago
CERT-EU
a year ago
MITRE
2 years ago
Unit42
6 months ago
DARKReading
7 months ago
InfoSecurity-magazine
7 months ago
Fortinet
7 months ago
Checkpoint
7 months ago
Checkpoint
7 months ago
DARKReading
7 months ago
Trend Micro
2 years ago
Securityaffairs
8 months ago
DARKReading
8 months ago
SANS ISC
9 months ago
SANS ISC
9 months ago
Trend Micro
10 months ago