There have been multiple instances of Cobalt Strike (a penetration testing tool) being used maliciously for ransomware attacks or intrusion into company’s internal systems. This method of attack consists of using a botnet to distribute Cobalt Strike malware and using ransomware and PC attacks to do so. This article, therefore, discusses methods for finding web servers infected with Cobalt Strike (for legal pentesting or due to malicious intent) with Criminal IP.

What is Cobalt Strike?

Cobalt Strike is a paid penetration testing service, and plenty of Red Team users use this software to simulate penetration attacks.

침투 테스팅 도구로 사용되는 Cobalt Strike
Cobalt Strike is a tool used for penetration testing

However, not everyone uses Cobalt Strike in legally. Cyber attackers use a pirated version of this application to launch attacks on vulnerable servers. Because of this, Cobalt Strike is both classified as a useful pentesting tool and malware simultaneously.

The legal distribution of this pentesting tool means that it’s harder to determine malicious attacks launched by this software. Because of this, the Google Cloud Threat Intelligence team recently released opensource YARA rules for determining malicious Cobalt Strike attacks.

Detect BotNet Servers Infected With Cobalt Strike Malware

While we can determine Cobalt Strike attacks through open source YARA rules, there is an easier way to find servers infected with this form of malware. It’s simply a matter of using the Tag filter in Criminal IP’s Asset Search.

Search Query : “tag: Cobalt Strike”

Security OSINT 검색엔진 Criminal IP 에 "tag: Cobalt Strike" 를 검색한 결과
Results shown for “tag: Cobalt Strike” on Criminal IP

As shown in the results, there are a total of 102 servers infected with Cobalt Strike out of all external servers. These 102 servers can be considered botnet servers already infected with Cobalt Strike malware.

Of course, they may include the legally used Cobalt Strike, so not all of them can be judged as attacks. However, the discovered servers are either allowing access to internal systems or are highly likely to be infected with ransomware.

Statistics Show that Country with most servers infected with Cobalt Strike Malware is China

A total of 54 botnet servers are located in China, making it the country that owns most of the Cobalt Strike malware-infected servers.

Criminal IP로 탐지된 Cobalt Strike 감염 서버 국가 통계, 1위는 중국이다
Country statistics shown on Criminal IP determine that China owns the most Cobalt Strike infected servers

Furthermore, port statistics show that most servers have infected port 80 or 8080.

Criminal IP로 탐지된 Cobalt Strike 감염 서버 포트 통계, 대부분 80 포트로 탐지 되었다
Statistics shown regarding open ports of Cobalt Strike infected servers. As shown above, most of them have infected port 80

Cobalt Strike Beacon Malware-Infected BotNet Servers

We can further analyze the IP intelligence of BotNet IP Addresses with Beacon installed by Cobalt Strike through Criminal IP Asset Search.

Cobalt Strike 로 인해 Beacon 악성코드에 감염된 봇넷 IP 주소 인텔리전스 분석 결과
IP Intelligence analysis results of BotNet servers infected with Beacon malware by Cobalt Strike

This IP address’s Inbound Critical Scoring yield a danger level of 99%. This is because Criminal IP detected that this IP could be used in a cyber attack, or was used for it.

Check the Cobalt Strike tag in TCP 80 of available Banner Information to find Cobalt Strike data associated with the server.

봇넷 IP 주소의 80 포트 의 배너 정보, Cobalt Strike 정보가 포함되어있다
Data about Cobalt Strike is included in Banner Information along with BotNet IP address and open Port 80

As shown above, Criminal IP can easily find servers infected with Cobalt Strike Beacon. This can be detected through the Criminal IP Search Engine. Users can automatically detect infected servers with APIs. Furthermore, information about these infected BotNet servers can be gathered to create an Inbound IP Blacklist to prevent these servers from spreading malware.

For more content related to this discussion, check out this article about Cryptojacking, and how your device could potentially be mining crypto behind your back.

Source : Criminal IP (

Related Article(s) :