Cobaltstrike

Malware updated 24 days ago (2024-08-14T21:17:41.126Z)

Download STIX

Preview STIX

CobaltStrike is a type of malware, or malicious software, that infiltrates systems to exploit and damage them. It can gain access via suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or hold data for ransom. CobaltStrike has been observed in conjunction with various other malware such as IcedID, Qakbot, BazarLoader, Conti, Gozi, Trickbot, Quantum, Emotet, and Royal Ransomware. It operates by launching backdoor components, providing unauthorized remote access to the infected system. In recent years, there have been significant developments involving CobaltStrike. The threat group Earth Baku added two new loaders, CobaltStrike and SneakCross (also known as MoonWalk), to its arsenal. These loaders were used to launch backdoor components, further enhancing the group's cyber-attack capabilities. Additionally, infected versions of text editors VNote and Notepad were discovered containing a CobaltStrike agent loader, demonstrating the malware's ability to infiltrate and compromise commonly used applications. The CobaltStrike malware has also been linked to Linux and macOS-targeted apps carrying backdoors for unauthorized remote access, resembling the Geacon project. This similarity suggests that CobaltStrike may share common features or origins with the open-source implementation of the Geacon agent written in Go. In a notable incident involving the banking Trojan IcedID, a variant infection was identified with BackConnect, Anubis VNC, CobaltStrike, and ConnectWise ScreenConnect. After initial infection, "hands on the keyboard" activity was detected approximately 95 minutes later, indicating rapid escalation and exploitation following infiltration.

Description last updated: 2024-08-14T21:15:42.511Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Nokoyawa	3	Nokoyawa is a notorious malware, particularly known for its ransomware capabilities. It has been associated with various other malicious software including Quantum, Royal, BlackBasta, Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2, Vidar, Gozi, Cany
IcedID	2	IcedID is a malicious software (malware) that has been linked to various cybercrime operations. The malware can infiltrate systems via suspicious downloads, emails, or websites and proceed to steal personal information, disrupt operations, or hold data for ransom. IcedID has been associated with oth

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Beacon

Malware

Ransomware

Exploit

Trojan

Backdoor

Loader

Lateral Move...

Windows

Reconnaissance

Payload

Sysaid

Linux

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Gootloader	Unspecified	3	Gootloader is a malicious software (malware) known for its harmful capabilities, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Gootloader can steal personal information, disrupt o
Droxidat	Unspecified	2	DroxiDat, a new variant of the SystemBC malware, was deployed in a series of attacks on critical infrastructure targets in Africa during the third and fourth weeks of March. The malware, which acts as a system profiler and simple SOCKS5-capable bot, was specifically detected at an electric utility c
Emotet	Unspecified	2	Emotet is a highly dangerous and insidious type of malware that has been active, particularly during recent summers. It is distributed primarily through documents attached to emails, using conversations found in compromised accounts. Once an unsuspecting user clicks either the enable button or an im
TrickBot	Unspecified	2	TrickBot is a notorious malware that has been used extensively by cybercriminals to exploit and damage computer systems. It operates as a crimeware-as-a-service platform, infecting systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can stea
QakBot	Unspecified	2	Qakbot is a type of malware that has been linked to various cybercriminal activities, with its presence first observed as early as 2020. It gained notoriety for its role in the operations of the Black Basta ransomware group, which used Qakbot extensively in sophisticated phishing campaigns. The malw

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Earth Baku	Unspecified	2	Earth Baku, a threat actor identified in the cybersecurity landscape, has been executing actions with malicious intent, posing significant challenges to cybersecurity defenses. This entity could comprise of a single person, a private company, or part of a government entity. Earth Baku is known for u

Source Document References

Information about the Cobaltstrike Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	24 days ago	Earth Baku APT targets Europe, the Middle East, and Africa
Trend Micro	a month ago	A Dive into Earth Baku’s Latest Campaign
SANS ISC	3 months ago	Malicious Python Script with a "Best Before" Date - SANS Internet Storm Center
Securelist	3 months ago	Non-mobile malware statistics, Q1 2024
CERT-EU	6 months ago	18th March – Threat Intelligence Report \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	6 months ago	18th March – Threat Intelligence Report - Check Point Research
Securelist	6 months ago	Infected text editors load backdoor into macOS
Unit42	8 months ago	From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence
CERT-EU	9 months ago	New Rhysida Ransomware Attacking Government and IT Industries \| #ransomware \| #cybercrime \| National Cyber Security Consulting
MITRE	9 months ago	LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
BankInfoSecurity	10 months ago	MOVEit Hackers Turn to SysAid Zero-Day Bug
Checkpoint	10 months ago	The Platform Matters: A Comparative Study on Linux and Windows Ransomware Attacks - Check Point Research
CERT-EU	10 months ago	Coverage Advisory for CVE-2023-47246 SysAid Zero-Day Vulnerability \| Zscaler
CERT-EU	10 months ago	The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits
CERT-EU	10 months ago	New Gootloader Malware Abuses RDP to Spread Rapidly
Yori	10 months ago	Vulnerabilità su SysAid attivamente sfruttata in-the-wild - Yoroi
CERT-EU	10 months ago	SysAid Zero-Day Vulnerability Exploited By Lace Tempest \| Rapid7 Blog
CERT-EU	10 months ago	IBM: New Gootloader Variant Moves Laterally and Is Harder to Detect
InfoSecurity-magazine	10 months ago	GootBot Implant Heightens Risk of Post-Infection Ransomware
CERT-EU	10 months ago	IBM X-Force Discovers Gootloader Malware Variant- GootBot