A security researcher has discovered several key pairs used to encrypt the traffic between rogue Cobalt Strike beacons and their command-and-control servers, enabling the decryption of the communications for several hundred beacons deployed by malicious actors.
Cobalt Strike is a popular adversary emulation platform used extensively by red teams in security testing operations. It has also become very popular with cybercrime groups and many ransomware operators deploy cracked or rogue versions of Cobalt Strike as part of their intrusions. The beacon is the main payload tha the platform deploys after the initial exploitation of a system, and it has the ability to log keystrokes, download files, and run commands from the remote C2 server.
Those commands are sent via an encrypted channel by default, and the traffic is encrypted using AES. After installation, each beacon generates a unique AES key and sends it to the C2 server in a metadata file that is in turn encrypted using RSA. The beacon has the RSA public key and the C2 server stores the private key, and those keys are generated the first time that the Cobalt Strike server software is used. The keys are stored in a file called .cobaltstrike.beacon_keys. Security researcher Didier Stevens of NVISO, a Belgian security firm, recently started looking at the C2-beacon communications and began fingerprinting the C2 servers exposed to the Internet in an effort to better understand how attackers are using the platform.
“As incident responders, we often encounter Cobalt Strike beacons. Years ago, life was simple: if it's Cobalt Strike, it's a red team exercise. But nowadays, a lot of criminals use rogue versions of Cobalt Strike, and the better we understand how Cobalt Strike operates and communicates, the better we can do IR,” Stevens said.
What he discovered is that there are quite a few Cobalt Strike servers that share public keys, which obviously implies that they use the same private keys, as well. A little digging on VirusTotal turned up 10 separate cracked Cobalt Strike packages that included the .cobaltstrike.beacon_keys file, something that should not be present in a legitimate version, since it is generated when the software is used the first time. From those 10 packages, Stevens pulled six unique RSA keypairs. Two of those pairs are used by 25 percent of the more than 1,500 Internet-facing Cobalt Strike servers Stevens had identified.
"Years ago, life was simple: if it's Cobalt Strike, it's a red team exercise. But nowadays, a lot of criminals use rogue versions of Cobalt Strike."
Stevens then incorporated those keys into a custom tool he developed that will extract the configuration of a Cobalt Strike beacon. If it finds a known public key, the tool will then display the associated known private key. This can allow researchers and investigators to decrypt the traffic between the beacon and its Cobalt Strike C2 server.
“That communication is encrypted, even when it goes over HTTPS. I started to develop a few tools to help me with the decryption, but then AES decryption keys are required. These can sometimes be extracted from the process memory of a running beacon, but if the beacon is already killed before IR begins, there is no way to decrypt the traffic (provided it was captured),” Stevens said.
“The private RSA key can also be used to initiate the decryption, but that key is kept hidden away on the C2 server. The beacon contains only the public key. So the private key is out of reach to us incident responders.”
But Stevens’ research and the tool he developed changes that, at least for a significant portion of the known rogue Cobalt Strike implementations online, giving incident responders a fighting chance against them. Stevens said he has not found a way to determine which malicious actors are using the rogue implementations yet, unless a specific cracked version of Cobalt Strike can be connected to a specific attack group.
Stevens is continuing the research and plans to release more details of it soon.