While hunting for malware on VirusTotal on March 20th, Binary Defense analysts discovered a fully functioning copy of CobaltStrike 4.0 which apparently had been cracked to remove its software licensing restrictions. On March 21st, a Chinese software pirate published an article confirming CobaltStrike’s cracked status.
CobaltStrike, a $3500 commercially-available tool, is designed for penetration testers to simulate attacks on networks, similar to Metasploit. However, as the tool simulates attacks by carrying out these attacks, threat actors also use it. Many prolific cyber-criminal groups including FIN7 and the “Cobalt Gang” as well as nation-state backed threat groups including Russian APT29 have used previous versions of Cobalt Strike in attacks against companies and government agencies. Using a custom programming language, attackers can generate payloads that are customized for each victim. With built-in capabilities for spreading, Kerberroasting, credential theft, and many other features, CobaltStrike is a formidable weapon for any attacker.