Expert has released CobaltSpam tool for counterattacking Cobalt Strike servers
CobaltSpam allows you to bombard Cobalt Strike servers with fake data about compromised systems.
Security researcher Mario Henkel has published a tool to “flood” cybercriminals’ Cobalt Strike servers with fake beacons to damage internal databases containing information about infected systems.
As the researcher told The Record, the CobaltSpam tool is based on CobaltStrikeParser – a project of the information security company SentinelOne, which allows obtaining information from the configuration of Cobalt Strike servers.
Henkel created a loop in the original code to ping the Cobalt Strike server and register new beacons. The term “beacons” is used in the Cobalt Strike documentation to refer to systems infected with the Cobalt Strike backdoor.
While Cobalt Strike was originally created as a tool for security researchers to conduct penetration testing, over the past few years, it has become a huge hit with hackers. Cobalt Strike and another penetration testing tool Metasploit have linked to more than a quarter of malware C&C servers in 2020, according to Intel 471, Proofpoint and Recorded Future.
Henkel created CobaltSpam with the goal of providing defenders with the means to retaliate. Having identified the Cobalt Strike server, they can bombard it with fake data so that an attacker cannot distinguish real infections from fake ones.
Since Cobalt Strike is typically used in the early stages of an attack, flooding the server with fake data will prevent the final payload, such as ransomware, info-stealers, or cryptocurrency miners, from launching.
According to Henkel, CobaltSpam is very fast and can generate 1-2 fake beacons per second. Since most Cobalt Strike malware campaigns tend to infect tens to hundreds of victims, servers can be flooded with tens of thousands of fake beacons overnight.
Catch up on more articles here
Follow us on Twitter here