Cobalt Strike first appeared in 2012 in response to alleged flaws in the Metasploit Framework, an existing red team (penetration testing) tool. Cobalt Strike 3.0 was released in 2015 as a stand-alone opponent emulation platform. However, researchers began observing threat actors using Cobalt Strike by 2016. Cobalt Strike’s use in hostile activities was previously connected with huge cybercriminal operations like TA3546 and APT40. Cobalt Strike is a legitimate Pen test (penetration testing) toolkit that deploys “beacons” on infected devices to perform malicious behaviors. It is commonly used in ransomware attacks.
Cobalt Strike allows the attacker to install a Beacon agent on the victim’s PC, which gives them access to a variety of tools, including command execution, file transfer, keylogging, mimikatz, port scanning, and privilege escalation. Cobalt Strike includes a toolkit called Artifact Kit that is used to create shellcode loaders.
Ukraine is under attack using the Cobal Strike Beacon malware. Emails with the topic “Urgent!” are being circulated and If you open a document and activate a macro, the macro will download, create on disk and run the file “pe.dll”. Other filenames are: