Cobaltstrike

Malware updated 3 months ago (2024-08-14T21:17:41.126Z)

Download STIX

Preview STIX

CobaltStrike is a type of malware, or malicious software, that infiltrates systems to exploit and damage them. It can gain access via suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or hold data for ransom. CobaltStrike has been observed in conjunction with various other malware such as IcedID, Qakbot, BazarLoader, Conti, Gozi, Trickbot, Quantum, Emotet, and Royal Ransomware. It operates by launching backdoor components, providing unauthorized remote access to the infected system. In recent years, there have been significant developments involving CobaltStrike. The threat group Earth Baku added two new loaders, CobaltStrike and SneakCross (also known as MoonWalk), to its arsenal. These loaders were used to launch backdoor components, further enhancing the group's cyber-attack capabilities. Additionally, infected versions of text editors VNote and Notepad were discovered containing a CobaltStrike agent loader, demonstrating the malware's ability to infiltrate and compromise commonly used applications. The CobaltStrike malware has also been linked to Linux and macOS-targeted apps carrying backdoors for unauthorized remote access, resembling the Geacon project. This similarity suggests that CobaltStrike may share common features or origins with the open-source implementation of the Geacon agent written in Go. In a notable incident involving the banking Trojan IcedID, a variant infection was identified with BackConnect, Anubis VNC, CobaltStrike, and ConnectWise ScreenConnect. After initial infection, "hands on the keyboard" activity was detected approximately 95 minutes later, indicating rapid escalation and exploitation following infiltration.

Description last updated: 2024-08-14T21:15:42.511Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Nokoyawa is a possible alias for Cobaltstrike. Nokoyawa is a prominent malware, specifically ransomware, that has been linked to numerous cybercrime activities since it first emerged in 2022. It has been associated with various other malware families including Quantum, Royal, BlackBasta, and a variety of others such as Emotet, IcedID, CobaltStri	3
IcedID is a possible alias for Cobaltstrike. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of d	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Beacon

Malware

Ransomware

Exploit

Trojan

Backdoor

Loader

Lateral Move...

Windows

Reconnaissance

Payload

Sysaid

Linux

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Gootloader Malware is associated with Cobaltstrike. Gootloader is a potent malware, often used as an infostealer or deployed prior to ransomware attacks. It's known for its unique approach of Search Engine Optimization (SEO) poisoning, where victims are deceived into clicking on malicious links disguised as legitimate resources. A significant campaig	Unspecified	3
The Droxidat Malware is associated with Cobaltstrike. DroxiDat, a new variant of the SystemBC malware, was deployed in a series of attacks on critical infrastructure targets in Africa during the third and fourth weeks of March. The malware, which acts as a system profiler and simple SOCKS5-capable bot, was specifically detected at an electric utility c	Unspecified	2
The Emotet Malware is associated with Cobaltstrike. Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations,	Unspecified	2
The TrickBot Malware is associated with Cobaltstrike. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,	Unspecified	2
The QakBot Malware is associated with Cobaltstrike. Qakbot is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, or hold data for ransom. Built by d	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Earth Baku Threat Actor is associated with Cobaltstrike. Earth Baku, a threat actor linked to the China-associated APT group APT41, has emerged as a significant cybersecurity threat with operations extending beyond the Indo-Pacific region. Since late 2022, Earth Baku has expanded its malicious activities into Europe, the Middle East, and Africa. The group	Unspecified	2

Source Document References

Information about the Cobaltstrike Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	3 months ago	Earth Baku APT targets Europe, the Middle East, and Africa
Trend Micro	3 months ago	A Dive into Earth Baku’s Latest Campaign
SANS ISC	5 months ago	Malicious Python Script with a "Best Before" Date - SANS Internet Storm Center
Securelist	6 months ago	Non-mobile malware statistics, Q1 2024
CERT-EU	8 months ago	18th March – Threat Intelligence Report \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	8 months ago	18th March – Threat Intelligence Report - Check Point Research
Securelist	8 months ago	Infected text editors load backdoor into macOS
Unit42	a year ago	From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence
CERT-EU	a year ago	New Rhysida Ransomware Attacking Government and IT Industries \| #ransomware \| #cybercrime \| National Cyber Security Consulting
MITRE	a year ago	LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
BankInfoSecurity	a year ago	MOVEit Hackers Turn to SysAid Zero-Day Bug
Checkpoint	a year ago	The Platform Matters: A Comparative Study on Linux and Windows Ransomware Attacks - Check Point Research
CERT-EU	a year ago	Coverage Advisory for CVE-2023-47246 SysAid Zero-Day Vulnerability \| Zscaler
CERT-EU	a year ago	The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits
CERT-EU	a year ago	New Gootloader Malware Abuses RDP to Spread Rapidly
Yori	a year ago	Vulnerabilità su SysAid attivamente sfruttata in-the-wild - Yoroi
CERT-EU	a year ago	SysAid Zero-Day Vulnerability Exploited By Lace Tempest \| Rapid7 Blog
CERT-EU	a year ago	IBM: New Gootloader Variant Moves Laterally and Is Harder to Detect
InfoSecurity-magazine	a year ago	GootBot Implant Heightens Risk of Post-Infection Ransomware
CERT-EU	a year ago	IBM X-Force Discovers Gootloader Malware Variant- GootBot