Popular penetration testing program Cobalt Strike saw a 161% increase in malicious use from 2019 to 2020 and is considered a high-volume threat for 2021.The tool is increasingly being used by attackers as an initial access payload, meaning it’s enlisted to deploy the initial malicious payload onto victimized machines. This is a change from past instances when Cobalt Strike was used more as a second-stage tool that played a role once the targeted systems had already been accessed.

Cobalt Strike first surfaced in 2012 as a tool to help organizations detect gaps in their security defenses. The program works by emulating an actual attack from advanced threat actors, showing users exactly where their defenses are weak and in need of improvement.

Cybercriminals are able to grab Cobalt Strike through different resources. They can buy it directly from the vendor, though that requires verification. They can snag a version on the Dark Web through different hacker forums. They can even find illegitimate versions of the program. Largely used by APT groups and espionage threat actors

One group A800, which tries to deploy banking malware or malware loaders. In the past, this group downloaded a backdoor exploit called BazaLoader, which then downloaded Cobalt Strike. But in February 2021, A800 started using Cobalt Strike as a first-stage payload sent via malicious URLs.

Another group observed using Cobalt Strike is TA547. Since the middle of 2021, this group has been using malicious Microsoft Office attachments to deploy malware. In February 2021, TA547 starting exploiting Cobalt Strike as a second-stage payload for command and control communications.

A third group that likes to use Cobalt Strike is TA415,associated with the People’s Republic of China. This group was found using Cobalt Strike as a first-stage payload in the middle of 2020.

TA415 used the tool to attack organizations in the airline industry. The group may have even used Cobalt Strike in a supply chain attack against SITA, an IT provider for several airlines around the world.

Offensive security tools are not inherently evil, but it is worth examining how illegitimate use of the frameworks has proliferated among APT actors and cybercriminals alike. Threat actors are using as many legitimate tools as possible, including executing Windows processes like PowerShell and WMI; injecting malicious code into legitimate binaries; and frequently using allowable services like Dropbox, Google Drive, SendGrid, and Constant Contact to host and distribute malware.