Cobaltstrike

Malware Profile Updated 2 months ago

Download STIX

Preview STIX

CobaltStrike is a notorious form of malware that has been used in conjunction with other malicious software including IcedID, Qakbot, BazarLoader, Conti, Gozi, Trickbot, Quantum, Emotet, and Royal Ransomware. This malware is typically delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Infected versions of the VNote and Notepad text editors have been found to carry a CobaltStrike agent loader inside, as well as Linux and macOS-targeted apps that contain backdoors for unauthorized remote access, resembling the Geacon project connected to CobaltStrike and BeaconTool. In October, a report identified a banking Trojan called IcedID that was associated with a forked variant infection involving CobaltStrike. The malware was observed to allow "hands on the keyboard" access approximately 95 minutes after initial infection. Attackers were found deploying tools like CobaltStrike to escalate privileges with injections and exploits. Additionally, an application similar to Geacon, an open-source implementation of the CobaltStrike agent written in Go, was discovered to act as a backdoor, allowing unauthorized access to infected systems. A specific instance of a CobaltStrike attack was observed with a file named "COVID-19 Case 12-11-2020(1).exe". The malware copied itself as "C:\Users\Public\Music\WinWord.exe", installed persistence by creating a “Microsof” key value under the Run registry, and started communicating with the CobaltStrike Command & Control server at "www.updatecatalogs.com". SysAid's analysis of these attacks revealed that attackers also use a second PowerShell script to erase evidence of their actions, and they download a CobaltStrike listener on victim hosts, likely for persistence. The use of CobaltStrike and other post-exploitation frameworks is more common in Windows but has been observed in Linux as well.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Nokoyawa	3	Nokoyawa is a notorious malware, particularly known for its ransomware capabilities. It has been associated with various other malicious software including Quantum, Royal, BlackBasta, Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2, Vidar, Gozi, Cany
IcedID	2	IcedID is a malicious software (malware) designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom
Gozi	1	Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
Blackbasta	1	BlackBasta is a malicious software (malware) known for its disruptive and damaging effects on computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even ho

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Beacon

Exploit

Malware

Ransomware

Trojan

Loader

Lateral Move...

Backdoor

Windows

Sysaid

Payload

Linux

Reconnaissance

Espionage

Bot

Government

Extortion

Encryption

Github

Botnet

Crypting

T1190

PowerShell

Sandbox

Exploits

Injector

Vulnerability

Malware Loader

Apt

Cobalt Strike

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Gootloader	Unspecified	3	GootLoader is a potent malware that forms part of the GootKit malware family, which has been active since 2014. The malware operates by exploiting systems through suspicious downloads, emails, or websites, often without the user's knowledge. Its primary targets are professionals working in law firms
TrickBot	Unspecified	2	TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
Droxidat	Unspecified	2	DroxiDat, a new variant of the SystemBC malware, was deployed in a series of attacks on critical infrastructure targets in Africa during the third and fourth weeks of March. The malware, which acts as a system profiler and simple SOCKS5-capable bot, was specifically detected at an electric utility c
Emotet	Unspecified	2	Emotet is a highly dangerous and insidious malware that has resurfaced with increased activity this summer. Originally distributed via email attachments, it infiltrates systems often without the user's knowledge, forming botnets under the control of criminals for large-scale attacks. Once infected,
QakBot	Unspecified	2	Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
Forest	Unspecified	1	Forest is a potent malware that leverages the Golden Ticket, an authentication ticket (TGT), to gain domain-wide access. It exploits the TGT to acquire service tickets (TGS) used for accessing resources across the entire domain and the Active Directory (AD) forest by leveraging SID History. The malw
Quixotic	Unspecified	1	Quixotic is a potent malware that has been used to crypt various ransomware samples, including BlackBasta and CobaltStrike. In May 2023, it was utilized to encrypt a BlackBasta ransomware sample, while in October 2022, it played a significant role in a CobaltStrike sample used in a BlackBasta attack
Anubis	Unspecified	1	Anubis, also known as IcedID or Bokbot, is a sophisticated piece of malware primarily functioning as a banking trojan. It was first discovered by X-Force in September 2017 and has since evolved to target a wide range of financial applications. Notably, Anubis has consistently ranked among the top fi
Egregor	Unspecified	1	Egregor is a variant of the Sekhmet ransomware and operates as Ransomware-as-a-Service (RaaS). It emerged in 2020, suspected to be from former Maze affiliates. Known for its double extortion tactics, Egregor publicly shames its victims by leaking sensitive data if the ransom isn't paid. In one notab
Ryuk	Unspecified	1	Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbo
Empire Powershell	Unspecified	1	Empire PowerShell is a type of malware, harmful software designed to exploit and damage computer systems. It can infiltrate a system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data
Dridex	Unspecified	1	Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
Bazarloader	Unspecified	1	BazarLoader is a form of malware that has been utilized extensively by ITG23, a cybercriminal group. This harmful software infiltrates systems via suspicious downloads, emails, or websites, potentially stealing personal information, disrupting operations, or holding data for ransom. ITG23 has used B
Conti	Unspecified	1	Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
Pikabot	Unspecified	1	PikaBot is a harmful malware that emerged in 2023, designed to exploit and damage computer systems. It infiltrates systems through dubious downloads, emails, or websites, often undetected by the user. Once inside a system, PikaBot can pilfer personal information, disrupt operations, or even ransom d
Squirrelwaffle	Unspecified	1	SquirrelWaffle, a new malware family, emerged in the threat landscape in September 2021. The infection vector is through spam emails containing malicious Office documents, specifically Microsoft Word and Excel files. The first variant mimics a DocuSign document, prompting the victim to enable editin
Diceloader	Unspecified	1	Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal in
Cutwail	Unspecified	1	Cutwail is a notorious malware that has been associated with various botnets, including Necurs, Andromeda, and Dridex, at different stages of their lifecycle. It has been implicated in the distribution of malicious payloads such as IcedID, Gozi, and Pushdo, often using crypters like Hexa, Forest, Sn
Pushdo	Unspecified	1	Pushdo is a type of malware that has been associated with various cyber attacks and malicious activities. First recognized in 2013, Pushdo was identified as the most widespread "bad bot," infecting over 4.2 million IPs including those of private companies, government agencies, and military networks.

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
ITG23	Unspecified	1	ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be
APT19	Unspecified	1	APT19, also known as the Codoso Team, is a threat actor suspected to be sponsored by the Chinese government to some degree. This group, potentially composed of freelancers, primarily targets the legal and investment sectors. They are known for their use of sophisticated malware like BEACON and COBAL
Wizard Spider	Unspecified	1	Wizard Spider, also known as ITG23, DEV-0193, Trickbot Group, Fin12, and Grimspider, is a significant threat actor in the cybercrime landscape. This group has been continually analyzed by IBM Security X-Force researchers for its use of several crypters and is credited with creating the notorious, ev
Toddycat	has used	1	ToddyCat is a sophisticated Advanced Persistent Threat (APT) actor, likely Chinese-speaking, that has been active since at least December 2020. It primarily operates in Asia, targeting government entities in Malaysia, Thailand, and Pakistan. In 2022, Kaspersky reported finding ToddyCat actors using
Toddycat Apt	Unspecified	1	The ToddyCat APT (Advanced Persistent Threat) is a threat actor group that conducts espionage by infiltrating networks with loaders and Trojans. This group utilizes a variety of tools, including standard loaders, tailored loader, Ninja LoFiSe, DropBox uploader, Pcexter, Passive UDP backdoor, and Cob
APT29	Unspecified	1	APT29, also known as Cozy Bear, SVR group, BlueBravo, Nobelium, Midnight Blizzard, and The Dukes, is a threat actor linked to Russia. This group is notorious for its malicious activities in the cybersecurity realm, executing actions with harmful intent. It has been associated with several high-profi

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
CVE-2020-1472	Unspecified	1	CVE-2020-1472, also known as the ZeroLogon vulnerability, is a critical-severity privilege escalation flaw in Microsoft's Netlogon Remote Protocol. It was patched by Microsoft on August 11, 2020. This vulnerability allows attackers to gain administrative access to a Windows domain controller without
Zerologon	Unspecified	1	Zerologon is a critical vulnerability (CVE-2020-1472) found within Microsoft's Netlogon Remote Protocol, impacting all versions of Windows Server OS from 2008 onwards. This flaw in software design or implementation allows attackers to bypass authentication mechanisms and change computer passwords wi

Source Document References

Information about the Cobaltstrike Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
SANS ISC	2 months ago	Malicious Python Script with a "Best Before" Date - SANS Internet Storm Center
Securelist	2 months ago	Non-mobile malware statistics, Q1 2024
CERT-EU	4 months ago	18th March – Threat Intelligence Report \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	4 months ago	18th March – Threat Intelligence Report - Check Point Research
Securelist	4 months ago	Infected text editors load backdoor into macOS
Unit42	7 months ago	From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence
CERT-EU	7 months ago	New Rhysida Ransomware Attacking Government and IT Industries \| #ransomware \| #cybercrime \| National Cyber Security Consulting
MITRE	7 months ago	LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
BankInfoSecurity	9 months ago	MOVEit Hackers Turn to SysAid Zero-Day Bug
Checkpoint	8 months ago	The Platform Matters: A Comparative Study on Linux and Windows Ransomware Attacks - Check Point Research
CERT-EU	8 months ago	Coverage Advisory for CVE-2023-47246 SysAid Zero-Day Vulnerability \| Zscaler
CERT-EU	9 months ago	The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits
CERT-EU	9 months ago	New Gootloader Malware Abuses RDP to Spread Rapidly
Yori	9 months ago	Vulnerabilità su SysAid attivamente sfruttata in-the-wild - Yoroi
CERT-EU	9 months ago	SysAid Zero-Day Vulnerability Exploited By Lace Tempest \| Rapid7 Blog
CERT-EU	9 months ago	IBM: New Gootloader Variant Moves Laterally and Is Harder to Detect
InfoSecurity-magazine	9 months ago	GootBot Implant Heightens Risk of Post-Infection Ransomware
CERT-EU	9 months ago	IBM X-Force Discovers Gootloader Malware Variant- GootBot
CERT-EU	9 months ago	Ransomware actor exploits unsupported ColdFusion servers — but comes away empty-handed
CERT-EU	9 months ago	ToddyCat APT Hackers Exploiting Vulnerable Microsoft Exchange Servers