Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Cracked Version CobaltStrike 4.0 Now Available to Threat Actors

While hunting for malware on VirusTotal on March 20th, Binary Defense analysts discovered a fully functioning copy of CobaltStrike 4.0 which apparently had been cracked to remove its software licensing restrictions. On March 21st, a Chinese software pirate published an article confirming CobaltStrike’s cracked status. 

CobaltStrike, a $3500 commercially-available tool, is designed for penetration testers to simulate attacks on networks, similar to Metasploit. However, as the tool simulates attacks by carrying out these attacks, threat actors also use it. Many prolific cyber-criminal groups including FIN7 and the “Cobalt Gang” as well as nation-state backed threat groups including Russian APT29 have used previous versions of Cobalt Strike in attacks against companies and government agencies. Using a custom programming language, attackers can generate payloads that are customized for each victim. With built-in capabilities for spreading, Kerberroasting, credential theft, and many other features, CobaltStrike is a formidable weapon for any attacker.

Analyst Notes

Binary Defense predicts that it is likely that more actors will upgrade their operations to begin using the new version of CobaltStrike 4.0 in the coming weeks since it is now possible to use it without registering or paying license fees. Since many of CobaltStrike’s stagers are Powershell based, Binary Defense recommends enabling additional Powershell logging options such as script block logging, combined with solutions such as Sysmon logging and Endpoint Detection and Response (EDR) services. Stopping network profiling and lateral movement from threat actors using CobaltStrike is crucial in containing intrusions in the early stages before they have time to cause more significant damage.