"Knock-knock"

Cobalt Strike takedown likely to make Sliver even more popular

Brute Ratel, Sliver and other alternatives are less well-known and mature than Cobalt Strike but increasingly adopted.

The UK’s National Crime Agency (NCA) has coordinated a global action against “cracked” or illegal versions of Cobalt Strike, a widely used penetration testing suite sold by the company Fortra, but widely pirated.

The NCA said: “Action was taken against 690 individual instances of malicious Cobalt Strike software located at 129 internet service providers in 27 countries…” Some 593 instances were taken down by June 28. 

Cobalt Strike is an advanced and highly mature toolkit “specifically designed to create feature-rich backdoors in the matter of seconds” and over the years has improved its ability to disguise malicious payload traffic in target networks, including through integrations with the likes of C3.

See also: National Crime Agency smashes LockBit infrastructure, grabs 1,000 decryption keys

The law enforcement move, whilst welcome, is likely to add further momentum to a growing shift amongst threat actors away from Cobalt Strike and towards open source alternatives like Bishop Fox’s GPL-3.0 licensed “Sliver” (which has also been widely forked on GitHub…) 

Brute Ratel, a commercial alternative, also gets cracked and distributed among script kiddies and more serious threat actors alike. It was first seen exploited in the wild in serious campaigns by a Russian APT in 2022. 

But the NCA and partners’ move will increase the sense amongst threat actors that there are a lot of well-resourced eyes on their activity, and that nation states are looking to become increasingly aggressive in taking down infrastructure hosting or supporting cybercrime-related activities. 

In tangentially related news, in 2022 security firm CrowdStrike noted that it saw malware use plummeting because employee credentials were so easy to get hold of: There is no need to launch a sophisticated intrusion campaign when you can just legitimately log in, then move laterally, living off the land with native Windows or Linux commands and tools. 

See also: BitLocker used to attack servers in "intrusion with almost no malware"