Cybercriminals use for masking outdated versions of Cobalt Strike

Although developers of Cobalt Strike framework released updates in January and May of this year (3.13 and 3.14 respectively), dozens of servers still work on outdated platform releases, some of which use pirated, hacked or unregistered versions of Cobalt Strike.

Cobalt Strike is a penetration-testing framework that allows delivering and managing a payload to an attacked computer.

In other words, the tool intended solely for lawful use. In addition to the impressive cost of the license ($3.5 thousand), developers took care of measures that prevent tool from falling into hands of intruders, including checking customers and limited offer outside of the United States and Canada. Nevertheless, cybercriminals are finding ways to get a licensed copy of the tool, some are even willing to pay $25 thousand for this.

Hacked versions of Cobalt Strike are available on the Internet, but they often contain backdoors or do not have all the functions of the original. In addition, this software can not be updated.

“The detection of Cobalt Strike servers can aid defenders in creating alerts in their enterprise networks, providing a proactive measure to get ahead of their red team, criminal operations, or state-sponsored adversaries”, – point specialists from Recorded Future company.

There are several signs that allow identifying vulnerable Cobalt Strike servers: usage default TLS developer certificate; in active mode, the DNS server in Cobalt Strike responds to all DNS queries with a fake IP address; availability of port 50050/TCP; The HTTP response “404 Not Found” is typical for NanoHTTPD web servers; extra spaces in server HTTP responses (this vulnerability was fixed in Cobalt Strike 3.13 version).

By combining several methods, Recorded Future experts were able to identify 104 servers using the framework.

In order not to attract additional attention, cybercriminals prefer to use outdated versions of the tool, if other hacker groups have not yet switched to new versions of Cobalt Strike. Another reason may be that when upgrading to a fresh build, implemented changes may be lost, experts say.

“Using hacked versions of Cobalt Strike or deploying standard copies of Cobalt Strike allows you to disguise threats and complicate identification. In addition, using hacked versions, attackers can “mingle” with outdated Cobalt Strike releases”, — the researchers explained.


Cobalt Strike is an exploitation platform developed for the use of security professionals in emulating targeted attacks and post-exploitation actions by advanced adversaries. The tool, developed and licensed by Strategic Cyber LLC, a company based in Washington, D.C., is monitored for illicit usage by the firm and is subject to export controls.


User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button