There have been multiple instances of Cobalt Strike (a penetration testing tool) being used maliciously for ransomware attacks or intrusion into company internal systems. This method of attack consists of using botnet to distribute Cobalt Strike malware, and using ransomware and PC attacks to do so. This article, therefore, discusses methods on finding web servers infected with Cobalt Strike (for legal pentesting or due to malicious intent) with Criminal IP.
What is Cobalt Strike?
Cobalt Strike is a paid penetration testing service, and plenty of Red Team users use this software to simulate penetration attacks.
However, not everyone uses Cobalt Strike in legal capacity. Cyber attackers use a pirated version of this application to launch attacks at vulnerable servers. Because of this, Cobalt Strike is both classified as a useful pentesting tool and malware simultaneously.
The legal distribution of this pentesting tool means that it’s harder to determine malicious attacks launched by this software. Because of this, the Google Cloud Threat Intelligence team recently released opensource YARA rules for determining malicious Cobalt Strike attacks.
Detect BotNet Servers Infected With Cobalt Strike
While we can determine Cobalt Strike attacks through open source YARA rules, there is an easier way to find servers infected with this form of malware. It’s simply a matter of using the Tag filter in Criminal IP’s Asset Search.
Search Query : “tag: Cobalt Strike”
As shown in the results, there are a total of 102 servers infected with Cobalt Strike out of all external servers. A big chunk of these servers are likely BotNet servers infected with Cobalt Strike.
However, there is likely a few servers that have Cobalt Strike in their systems for legal penetration testing reasons. However, the majority here have servers allowing external access and therefore likelier to be infected for malicious purposes.
but the servers shown here are systems that allow for external access, which heightens the chance of ransomware infection.
China is No.1 Country With Most Cobalt Strike Infected Servers
A total of 54 botnet servers are located in China, making it the country that owns most of the Cobalt Strike malware infected servers.
Furthermore, Port statistics show that most servers have infected port 80 or 8080.
Cobalt Strike Beacon Malware-Infected BotNet Servers
We can further analyze the IP intelligence of BotNet IP Addresses with Beacon installed by Cobalt Strike through Criminal IP Asset Search.
This IP address’s Inbound Critical Scoring yield a danger level of 99%. This is because Criminal IP detected that this IP could be used in a cyber attack, or was used for it.
Check the Cobalt Strike tag in TCP 80 of available Banner Information to find Cobalt Strike data associated with the server.
As shown above, Criminal IP can easily find servers infected with Cobalt Strike Beacon. This can be detected through the Criminal IP Search Engine. Users can automatically detect infected servers with APIs. Furthermore, information about these infected BotNet servers can be gathered to create an Inbound IP Blacklist to prevent these servers from spreading malware.
For more content related to this discussion, check out this article about Cryptojacking, and how your device could potentially be mining crypto behind your back.
Related Article(s) :