Cobalt Strike 4.10: Water Signs and Phishing Threats

Specialists Uncover New Cobalt Strike Server Group
Specialists at Hunt found a group of servers utilizing the latest version of the Cobalt Strike 4.10 tool, which was released in July 2024. Despite efforts to prevent unauthorized use, attackers continue to exploit Cobalt Strike for malicious purposes. These servers are identified by a unique watermark, only present at 5 other IP addresses on the Internet. The initial data surfaced on November 19, revealing that the domains associated with these servers were mimicking well-known brands, possibly as part of a phishing scheme. Most of the servers are hosted on Amazon infrastructure in the United States, with one using Microsoft services. All servers utilize Port 80 for connection and share similar configurations, including the same SSH key, certificates, and redirect settings. The enhancements brought by version 4.10 of Cobalt Strike include features like Beacongate for concealing actions, Sleepmask-VS for masking activity during inactivity, and Postex Kit for powerful post-exploitation tools. While these capabilities are meant for legitimate purposes, they are being exploited by attackers. Researchers also found that the watermark “688983459” appeared on only 7 IP addresses, linking the servers to specific domains like downloads.toptechmanagementgroup[.]com and downloads.helpsdeskmicrosoft[.]com, which resemble company names. It is suspected that such domains are being used to disguise malicious traffic or target attacks on particular industries. Further analysis uncovered another set of servers bearing the watermark “1,” often associated with hacked versions of Cobalt Strike. While there were no direct ties to known attacks such as FINSPY, the discovery underscores the significance of examining uncommon and unique identifiers. No recent TLS server notes were found, indicating a potential early stage of operation or efforts to evade detection. Some payloads were extracted for analysis, with the goal of enhancing security measures, creating new threat detection signatures, and gaining insight into attackers’ tactics.

Specialists Uncover New Cobalt Strike Server Group

Specialists at Hunt found a group of servers utilizing the latest version of the Cobalt Strike 4.10 tool, which was released in July 2024. Despite efforts to prevent unauthorized use, attackers continue to exploit Cobalt Strike for malicious purposes. These servers are identified by a unique watermark, only present at 5 other IP addresses on the Internet.

The initial data surfaced on November 19, revealing that the domains associated with these servers were mimicking well-known brands, possibly as part of a phishing scheme. Most of the servers are hosted on Amazon infrastructure in the United States, with one using Microsoft services. All servers utilize Port 80 for connection and share similar configurations, including the same SSH key, certificates, and redirect settings.

The enhancements brought by version 4.10 of Cobalt Strike include features like Beacongate for concealing actions, Sleepmask-VS for masking activity during inactivity, and Postex Kit for powerful post-exploitation tools. While these capabilities are meant for legitimate purposes, they are being exploited by attackers.

Researchers also found that the watermark “688983459” appeared on only 7 IP addresses, linking the servers to specific domains like downloads.toptechmanagementgroup[.]com and downloads.helpsdeskmicrosoft[.]com, which resemble company names. It is suspected that such domains are being used to disguise malicious traffic or target attacks on particular industries.

Further analysis uncovered another set of servers bearing the watermark “1,” often associated with hacked versions of Cobalt Strike. While there were no direct ties to known attacks such as FINSPY, the discovery underscores the significance of examining uncommon and unique identifiers.

No recent TLS server notes were found, indicating a potential early stage of operation or efforts to evade detection. Some payloads were extracted for analysis, with the goal of enhancing security measures, creating new threat detection signatures, and gaining insight into attackers’ tactics.

/Reports, release notes, official announcements.