Bleeping Computer reports that the source codes for Cobalt Strike has been found in the public domain on GitHub.
Hackers , from government APT groups to ransomware operators, for a long time loved this legitimate commercial tool, built for pentesters and red teams, and focused on exploitation and post-exploitation.Although it is not available to ordinary users and the full version is priced at about $3,500 per install, attackers still find ways to exploit it (for example, relying on old, pirated, jailbroken and unregistered versions).
“Typically, attackers use compromised versions of Cobalt Strike to gain robust remote access to a compromised network and use it during ransomware attacks”, – say Bleeping Computer journalists.
Actually, we wrote that Cybercriminals use for masking outdated versions of Cobalt Strike.
According to the publication, 12 days ago on GitHub appeared a repository, which contains the source codes for Cobalt Strike. Based on the src/main/resources/about.html file, these are the sources for Cobalt Strike version 4.0, released on December 5, 2019.
In addition, as you can see in the illustration below, the license check is commented out in the code, which essentially allows the program to crack when someone decides to compile it.
Information security expert Vitali Kremez from Advanced Intel, who studied the source code at the request of journalists, reports that, in his opinion, this Java code was decompiled manually. After that, the unknown got rid of all dependencies and license checks so that the tool could be compiled again.
Since the publication of this repository, it has already had 172 forks, which makes it much more difficult to prevent the further distribution of the source.
“This leak can have serious consequences, as it removes the barrier to obtaining the tool and greatly simplifies the task of obtaining and changing the code for criminal groups”, – Vitaly Kremez warns.
The specialist recalls that after the source code leaks, many malicious and offensive tools “live their own lives” for years, citing Zeus 2.0.8.9 and TinyNuke as examples.
Bleeping Computer reporters contacted the developers of Cobalt Strike, Help Systems company, for comment, wanting to verify the authenticity of the source code published on GitHub, but received no response.
Let me remind you that Cybersecurity specialists opposed new Pastebin functions, which can be used in conjunction with Cobalt Strike functionality for hacking.