Cobalt Strike Attacks

Posted on November 20, 2020 by John Limb

In the past few weeks, we have seen a significant increase in malicious attacks by bad actors using Cobalt Strike. Cobalt Strike is a legitimate tool used to give penetration testers access to many different attack capabilities. The issue lies when this toolkit gets into the wrong hands. Predominantly we have been seeing Cobalt Strike deploy an agent named “Beacon” for post-exploitation. Deploying this successfully can lead to a Ryuk Ransomware attack.

This week, BraintraceLABS is reporting Cobalt Strike as the most seen malware. Cobalt Strike enters the network in various ways, including via malware like BazarLoader. Malware can be installed with different tricks. The most common way is when the victim is tricked into clicking on a phishing campaign and downloads a file, which can be Word or Excel file. Then the user is tricked into enabling a macro. Once the macro is enabled, the malware will get into the network.

According to Microsoft, Cobalt Strike is being deployed through online ads claiming to be a Microsoft Teams update. The bad actor tricks the victim into clicking on a fake online ad. These advertisements will send the victim to an online domain under the control of the bad actor. When the victim clicks on the link, a download will begin. Instead of receiving the update, the user will download the payload, which can contain Cobalt Strike.

Dragonfly Encrypted Payload Analytics (EPA) prediction model identifies Cobalt Strike Beacon communications.

Braintrace’s Dragonfly is reporting the below C2 indicators of compromise for Cobalt Strike.

IP ADDRESS WEB HOSTNAME COUNTRY AS LABEL AS NUMBER 31[.]44[.]184[.]131 Russia Petersburg Internet Network ltd. 44,050 livenx[.]com United States Leaseweb USA, Inc. 396,362 stylesam[.]com United States Leaseweb USA, Inc. 30,633 epicnut[.]com United States Leaseweb USA, Inc. 7,203 sslcar[.]com United States Leaseweb USA, Inc. 19,148 beltpost[.]com United States TeraSwitch Networks Inc. 20,326 idrivehelper[.]com Switzerland Private Layer INC 51,852

If you have any questions or concerns about Trickbot and Ryuk. Please feel free to contact us at

All content Copyright © 2024 PinHawk LLC. All Rights Reserved.