Cobalt Strike Beacon

Malware updated 2 months ago (2024-08-14T09:40:05.100Z)

Download STIX

Preview STIX

Cobalt Strike Beacon is a type of malware that has been linked to various ransomware activities. This malicious software has been loaded by HUI Loader in several instances, with different files such as mpc.tmp, dlp.ini, and vmtools.ini being used. A unique feature of this Cobalt Strike Beacon shellcode is its use of steganography to hide within an image, which is then executed by the loader. In certain cases, it was encrypted and loaded by HUI Loader via the file vm.cfg. The Beacon has been utilized in numerous cyber-attacks. For example, Storm-0569 uses PowerShell and batch scripts to download BATLOADER, which subsequently drops a Cobalt Strike Beacon. This leads to data exfiltration using Rclone tools and deployment of Black Basta ransomware. Another threat actor, UNC2628, uses it for lateral movement within environments almost exclusively via RDP using legitimate credentials. Last year, Ukraine's Computer Emergency Response Team reported on threat actor UAC-0057 deploying the Beacon and PicassoLoader malware on victim systems in Ukraine through an embedded macro in an XLS file. However, there are solutions available to identify and block this malware. Advanced WildFire, Cortex XDR, and Prisma Cloud can all detect and prevent Cobalt Strike Beacon binaries, with XDR reporting related exploitation attempts. Recently, the Chinese threat actor Sharp Dragon has adopted the Beacon as the payload for its campaign, enabling backdoor functionalities like C2 communication and command execution while minimizing the exposure of their custom tools. Currently, the Beacon is also being used as the payload of the 5.t downloader.

Description last updated: 2024-08-14T08:42:51.774Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Payload

Ransomware

Malware

Exploit

Implant

Backdoor

Loader

Reconnaissance

Beacon

Downloader

Lateral Move...

Tool

Phishing

Shellcode

Decoy

Windows

Cuba

Microsoft

PowerShell

Ukraine

Dropper

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Batloader Malware is associated with Cobalt Strike Beacon. Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal	Unspecified	4
The python310.dll Malware is associated with Cobalt Strike Beacon. Python310.dll is a malicious software (malware) that infiltrates systems by installing a trojanized version of itself and establishing persistence through a run key named "Python". This is achieved by manipulating the value to be "C:\Users\Public\Music\python\pythonw.exe". The malware can enter your	Unspecified	2
The Truebot Malware is associated with Cobalt Strike Beacon. Truebot is a malicious software (malware) utilized by the CL0P actors, designed to exploit and damage computer systems. This malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Truebot serves multiple purposes: it can dow	Unspecified	2
The Conti Malware is associated with Cobalt Strike Beacon. Conti is a notorious type of malware, specifically ransomware, that infiltrates computer systems to steal data and disrupt operations. The malicious software often spreads through suspicious downloads, emails, or websites, and once inside, it can hold data hostage for ransom. The Conti ransomware op	Unspecified	2
The pythonw.exe Malware is associated with Cobalt Strike Beacon. Pythonw.exe, a malware that exploits and damages your computer or device, has been identified to execute malicious code on Windows systems. This harmful program infiltrates your system through suspicious downloads, emails, or websites without your knowledge, with the potential to steal personal info	Unspecified	2
The Meterpreter Malware is associated with Cobalt Strike Beacon. Meterpreter is a type of malware that is part of the Metasploit penetration testing software. It serves as an attack payload and provides an interactive shell, allowing threat actors to control and execute code on a compromised system. Advanced Persistent Threat (APT) actors have created and used a	Unspecified	2
The Carbanak Malware is associated with Cobalt Strike Beacon. Carbanak is a notorious malware developed by the cybercrime collective known as FIN7, also referred to as Carbon Spider, Cobalt Group, and Navigator Group. The group, which has been active since 2012, is of Russian origin and has been particularly focused on exploiting the restaurant, gambling, and	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Lace Tempest Threat Actor is associated with Cobalt Strike Beacon. Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. Thi	Unspecified	3
The FIN7 Threat Actor is associated with Cobalt Strike Beacon. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global	Unspecified	2

Source Document References

Information about the Cobalt Strike Beacon Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	2 months ago	China's APT41 Targets Taiwan Research Institute for Cyber Espionage
CERT-EU	9 months ago	Microsoft Disables App Installer Feature Amid Security Concerns
MITRE	2 years ago	Shining a Light on DARKSIDE Ransomware Operations \| Blog \| Mandiant
Unit42	4 months ago	Attackers Exploiting Public Cobalt Strike Profiles
DARKReading	4 months ago	Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
InfoSecurity-magazine	4 months ago	New Multi-Stage Malware Targets Windows Users in Ukraine
Fortinet	4 months ago	Menace Unleashed: Excel File Deploys Cobalt Strike at Ukraine \| Fortinet Blog
Checkpoint	5 months ago	27th May – Threat Intelligence Report - Check Point Research
Checkpoint	5 months ago	Sharp Dragon Expands Towards Africa and The Caribbean - Check Point Research
DARKReading	5 months ago	Windows Quick Assist Anchors Black Basta Ransomware Gambit
Trend Micro	a year ago	Rapture, a Ransomware Family With Similarities to Paradise
Securityaffairs	6 months ago	Targeted operation against Ukraine exploited 7-year-old MS Office bug
DARKReading	6 months ago	Military Tank Manual, 2017 Zero-Day Anchor Latest Ukraine Cyberattack
SANS ISC	7 months ago	1768.py's Experimental Mode - SANS Internet Storm Center
SANS ISC	7 months ago	Obfuscated Hexadecimal Payload - SANS Internet Storm Center
Trend Micro	8 months ago	Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
CERT-EU	8 months ago	ConnectWise ScreenConnect attacks deliver malware – Sophos News \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CrowdStrike	8 months ago	HijackLoader Expands Techniques to Improve Defense Evasion
CERT-EU	9 months ago	Turkish ransomware campaign hacks into weak MSSQL servers: report \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	9 months ago	Turkish Hackers Exploiting Poorly Secured MS SQL Servers Across the Globe \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting