Google releases YARA Rules to detect and deter malicious Cobalt Strike attacks

SECURITY

Google LLC’s Cloud Security team released a set of YARA Rules Nov. 17 to help detect and deter malicious attacks that use Cobalt Strike.

Cobalt Strike is penetrative testing software with legitimate uses to test security but can also be used by bad actors to attack a company. The software has been popular for years among hacking groups to identify security issues that can be exploited. Previously requiring a paid subscription to use, the source code for Cobalt Strike was allegedly leaked in 2020, giving hackers free access to the tool to undertake malicious campaigns.

Greg Sinclair, a security engineer for cloud threat intelligence at Google, explained that the set of open-source YARA Rules and their integration as a VirusTotal Collection will help the community flag and identify Cobalt Strike components and versions. “Since many threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by disrupting its use, we can help protect organizations, their employees, and their customers around the globe,” Sinclair said.

YARA is a tool primarily used in malware research and detection that provides a rules-based approach to create descriptions of malware families based on textual or binary patterns. Google’s new YARA rules detect malicious uses of Cobalt Strike.

The new YARA Rules deliver a high degree of accuracy in detecting malicious variants of Cobalt Strike in the wild. Each version of Cobalt Strike contains about 10 to 100 attack template binaries that the YARA Rules can detect to ascertain whether the software is being used maliciously.

“We wanted to enable better detection of actions done by bad actors and we needed a surgical approach to excise the bad versions while leaving the legitimate ones untouched,” Sinclair said. “By targeting only the non-current versions of the components, we can leave the most recent versions alone, the version that paying customers are using.”

Matt Mullins, senior security researcher at cybersecurity training company Cybrary Inc., told SiliconANGLE today that the efforts to identify the leaked or cracked versions of Cobalt Strike are a great start for the digital forensics and incident response community.

“The rules provided specifically call out each version, the critical strings and naming conventions for the defaults of that version, as well as some of the critical aspects of assembly associated with those actions,” Mullins explained. “This provides a very high fidelity detection of those versions associated, which are being widely spread and used by threat actors.”

Mullins added that the information “takes a lot of the heavy lift away from internal teams that might not have the technical skillset or resources to triangulate onto the discernable bits effectively” and that the release is going to “impact the return on investment of criminal groups.”

Image: Google