Cobaltstrike

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
CobaltStrike is a type of malware, or malicious software, that is designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. CobaltStrike has been associated with various other types of malware including IcedID, Qakbot, BazarLoader, Conti, Gozi, Trickbot, Quantum, Emotet, and Royal Ransomware. These malware strains often work together, creating a complex web of threats that can be difficult to mitigate. The Linux and macOS-targeted applications have been found to carry backdoors for unauthorized remote access, resembling the Geacon project connected to CobaltStrike and BeaconTool. This suggests that CobaltStrike is part of a larger ecosystem of cyber threats, each with its unique capabilities and attack vectors. The application itself is a backdoor, very similar to the so-called Geacon – an open-source implementation of the CobaltStrike agent written in Go. It has also been linked to the "COVID-19 Case 12-11-2020(1).exe" file which copies itself onto the system and establishes communication with the CobaltStrike command and control center. In October, a banking Trojan called IcedID was reported to have a forked variant infection with BackConnect, Anubis VNC, CobaltStrike, and ConnectWise ScreenConnect. The attackers would then gain unauthorized access approximately 95 minutes after initial infection. Furthermore, tools like CobaltStrike are used to escalate privileges with injections and exploits. SysAid's analysis of the attacks revealed that the attackers use a second PowerShell script to erase evidence of their actions and download a CobaltStrike listener on victim hosts, likely for persistence. This indicates a sophisticated level of planning and execution, highlighting the serious threat posed by CobaltStrike and its associated malware.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Nokoyawa
3
Nokoyawa is a notorious malware, particularly known for its ransomware capabilities. It has been associated with various other malicious software including Quantum, Royal, BlackBasta, Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2, Vidar, Gozi, Cany
IcedID
2
IcedID is a type of malware that was first discovered in 2017 and has been described as a banking Trojan and remote access Trojan. It can infect systems through suspicious downloads, emails, or websites, often without the user's knowledge, and once inside, it can steal personal information, disrupt
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Beacon
Ransomware
Malware
Exploit
Lateral Move...
Trojan
Windows
Backdoor
Loader
Linux
Reconnaissance
Payload
Sysaid
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DroxidatUnspecified
2
DroxiDat, a new variant of the SystemBC malware, was deployed in a series of attacks on critical infrastructure targets in Africa during the third and fourth weeks of March. The malware, which acts as a system profiler and simple SOCKS5-capable bot, was specifically detected at an electric utility c
EmotetUnspecified
2
Emotet is a notorious malware, designed to infiltrate systems and cause significant harm. It operates by exploiting vulnerabilities in your computer or device, often through suspicious downloads, emails, or websites, and can steal personal information, disrupt operations, or hold data hostage for ra
TrickBotUnspecified
2
TrickBot is a notorious malware that has been linked to numerous cybercrimes. This malicious software, designed to exploit and damage computers or devices, can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal informat
QakBotUnspecified
2
Qakbot is a type of malware, or malicious software, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. Qakbot is among several malware families buil
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Cobaltstrike Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
SecurityIntelligence.com
a year ago
The Trickbot/Conti Crypters: Where Are They Now?
MITRE
a year ago
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
CISA
a year ago
10398871-1.v2 Zimbra October Update | CISA
GovCERT CH
a year ago
Severe Ransomware Attacks Against Swiss SMEs
CERT-EU
9 months ago
Focus on DroxiDat/SystemBC
MITRE
a year ago
SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
Securelist
7 months ago
ToddyCat: Keep calm and check logs
CERT-EU
9 months ago
Focus on DroxiDat/SystemBC – GIXtools
Unit42
a year ago
Detecting Popular Cobalt Strike Malleable C2 Profile Techniques
CERT-EU
a year ago
Analysis of Ransomware Attack Timelines | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware – National Cyber Security Consulting
CERT-EU
9 months ago
nao-sec.org
CERT-EU
a year ago
The Hunter Behind the Hacker
MITRE
5 months ago
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
Yori
8 months ago
How an APT technique turns to be a public Red Team Project - Yoroi
Yori
6 months ago
Vulnerabilità su SysAid attivamente sfruttata in-the-wild  - Yoroi
CERT-EU
6 months ago
Coverage Advisory for CVE-2023-47246 SysAid Zero-Day Vulnerability | Zscaler
MITRE
a year ago
FIN7.5: the infamous cybercrime rig “FIN7” continues its activities
Malwarebytes
a year ago
Black Basta ransomware attacks Yellow Pages Canada
Flashpoint
9 months ago
Cyber Threat Intelligence Index: July 2023
CERT-EU
6 months ago
Ransomware actor exploits unsupported ColdFusion servers — but comes away empty-handed