Google Releases YARA Rules to Disrupt Cobalt Strike Abuse

  /     /     /  
Publicated : 23/11/2024   Category : security


Google Releases YARA Rules to Disrupt Cobalt Strike Abuse


The popular pen-testing tool is often cracked and repurposed by threat actors. Google now has a plan to address that.



Cobalt Strike, a popular red-team tool for detecting software vulnerabilities, has been
repurposed by cyberattackers
so frequently that publisher Fortra instituted a system for vetting potential buyers. In response, malicious actors have switched to using cracked versions of the software distributed online like any other hacker tool. Googles Cloud Security team has now come up with a way to counteract these shady uses while not interfering with legitimate ones: version detection.
Threat actors have easy access to Cobalt Strike through pirating, but these illegitimate versions usually cannot be updated,
wrote
Greg Sinclair, security engineer for cloud threat intelligence at Google. That provides Google researchers with a way to spot potentially malicious use by identifying the version of the software being used and flagging anything earlier than the current version.
To identify the version, Google researchers analyzed the Cobalt Strike JAR files from the past 10 years and generated signatures for the various components — 165 in all. Then the team bundled the signatures into a VirusTotal collection and
released them
as open source YARA rules on GitHub.
Since many threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by disrupting its use we can help protect organizations, their employees, and their customers around the globe, Sinclair wrote.
Earlier in November, Google Cloud Threat Intelligence released on GitHub a similar set of
signatures to detect Sliver
, as Bleeping Computer
pointed out
. The command-and-control framework has been
supplanting Cobalt Strike
as the repurposed security tool of choice by some threat actors.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security

▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security

▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Google Releases YARA Rules to Disrupt Cobalt Strike Abuse