There have been multiple instances of Cobalt Strike (a penetration testing tool) being used maliciously for ransomware attacks or intrusion into company’s internal systems. This method of attack consists of using a botnet to distribute Cobalt Strike malware and using ransomware and PC attacks to do so. This article, therefore, discusses methods for finding web servers infected with Cobalt Strike (for legal pentesting or due to malicious intent) with Criminal IP.
What is Cobalt Strike?
Cobalt Strike is a paid penetration testing service, and plenty of Red Team users use this software to simulate penetration attacks.

However, not everyone uses Cobalt Strike in legally. Cyber attackers use a pirated version of this application to launch attacks on vulnerable servers. Because of this, Cobalt Strike is both classified as a useful pentesting tool and malware simultaneously.
The legal distribution of this pentesting tool means that it’s harder to determine malicious attacks launched by this software. Because of this, the Google Cloud Threat Intelligence team recently released opensource YARA rules for determining malicious Cobalt Strike attacks.
Detect BotNet Servers Infected With Cobalt Strike Malware
While we can determine Cobalt Strike attacks through open source YARA rules, there is an easier way to find servers infected with this form of malware. It’s simply a matter of using the Tag filter in Criminal IP’s Asset Search.
Search Query : “tag: Cobalt Strike”

As shown in the results, there are a total of 102 servers infected with Cobalt Strike out of all external servers. These 102 servers can be considered botnet servers already infected with Cobalt Strike malware.
Of course, they may include the legally used Cobalt Strike, so not all of them can be judged as attacks. However, the discovered servers are either allowing access to internal systems or are highly likely to be infected with ransomware.
Statistics Show that Country with most servers infected with Cobalt Strike Malware is China
A total of 54 botnet servers are located in China, making it the country that owns most of the Cobalt Strike malware-infected servers.

Furthermore, port statistics show that most servers have infected port 80 or 8080.

Cobalt Strike Beacon Malware-Infected BotNet Servers
We can further analyze the IP intelligence of BotNet IP Addresses with Beacon installed by Cobalt Strike through Criminal IP Asset Search.

This IP address’s Inbound Critical Scoring yield a danger level of 99%. This is because Criminal IP detected that this IP could be used in a cyber attack, or was used for it.
Check the Cobalt Strike tag in TCP 80 of available Banner Information to find Cobalt Strike data associated with the server.

As shown above, Criminal IP can easily find servers infected with Cobalt Strike Beacon. This can be detected through the Criminal IP Search Engine. Users can automatically detect infected servers with APIs. Furthermore, information about these infected BotNet servers can be gathered to create an Inbound IP Blacklist to prevent these servers from spreading malware.
For more content related to this discussion, check out this article about Cryptojacking, and how your device could potentially be mining crypto behind your back.
Source : Criminal IP (https://www.criminalip.io/)
Related Article(s) :
[…] was cool to find, as you always learn something new. The article is titled Cobalt Strike Beacon: Finding Infected Botnet Servers and I thought it was worth […]
[…] Strike, which has been covered in the previous article on how to detect Cobalt Strike malware, is a commercial penetration testing tool that was originally used for building a C2 server. […]