Google's new YARA rules fight malicious Cobalt Strike use

Google released a set of open source YARA rules that will enable organizations to better detect malicious instances of red teaming tool Cobalt Strike.

Cobalt Strike is used for red teaming exercises to represent a theoretical threat, but the tool's practical capabilities have led to threat actors repurposing cracked versions of Cobalt Strike into a weapon for gaining lateral movement in victim environments. Cobalt Strike is sold and developed by Fortra, a vendor that recently changed its name from HelpSystems.

Google announced via a blog post last Thursday that it had released an open source set of YARA rules -- a common means of classifying and identifying malware samples -- as a way "to help the community flag and identify Cobalt Strike's components and its respective versions." The rules, and their integration, were launched as a VirusTotal Collection.

"Since many threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by disrupting its use we can help protect organizations, their employees, and their customers around the globe," wrote Greg Sinclair, Google Cloud Threat Intelligence security engineer.

Sinclair said Google took a "surgical approach" in developing the YARA rules to ensure legitimate versions of the tool are not mistakenly flagged by organizations using the rules. Because of this, only older versions of Cobalt Strike components have the potential to be flagged. Google's rule set includes 165 signatures for 34 cracked or malicious versions of Cobalt Strike.

"The leaked and cracked versions of Cobalt Strike are not the latest versions from Fortra, but are typically at least one release version behind," Sinclair wrote. "We focused on these versions by crafting hundreds of unique signatures that we integrated as a collection of community signatures available in VirusTotal. We also released these signatures as open source to cybersecurity vendors who are interested in deploying them within their own products."

Sinclair noted that Fortra uses its own vetting process that "attempts to minimize the potential" of threat actors using it, but it is still regularly leaked and cracked. The aim of Google's rules is to help limit the potential damage these older versions can cause.

Cobalt Strike has been abused by ransomware gangs and other threat actors for a variety of cyber attacks. Recently, Cisco Talos researchers observed a phishing campaign using a leaked version of the penetration testing software that targeted job applications for positions with the U.S. federal government.

A Google spokesperson told TechTarget Editorial that the company collaborated with Fortra on the project. 

In a statement to TechTarget Editorial, Fortra said it takes product security very seriously and has its own team actively searching for crack copies of Cobalt Strike. "We welcome efforts by industry partners like Google who help us track down malicious actors using older pirated copies of our software," the company said. "In the recent Google podcast announcing the YARA rules, our efforts to harden the product and limit its malicious usage were praised."

Alexander Culafi is a writer, journalist and podcaster based in Boston.