Getty Images/iStockphoto
Cobalt Strike still C2 infrastructure of choice
Its utility and ease of use, coupled with explosive growth in ransomware actions, makes Cobalt Strike Team Servers the C2 infrastructure of choice for malicious actors
Cobalt Strike Team Servers were the most widely used form of command and control (C2) infrastructure in 2021 by a considerable margin, followed distantly by the likes of Metasploit, Meterpreter, QakBot and TrickBot, with old stalwart Emotet fading away following its takedown, only to experience a resurgence towards the end of the year.
This is according to newly released data collated by Recorded Future’s Insikt Group and shared with Computer Weekly, which reveal a complex but highly informative picture of how malicious actors go about prepping and running their cyber criminal campaigns.
Last year alone, it observed more than 10,000 unique C2 servers across over 80 families, dominated by Cobalt Strike Team Servers and botnet families. Cobalt Strike accounted for 3,691 (23.7%) of the total unique C2 servers detected in the past 12 months – there could be many more that are better obfuscated – followed by Metasploit with 710, QakBot with 571, TrickBot with 468, and Meterpreter with 396. 2021 also saw increased adoption of Mythic, Covenant and Sliver.
Both its vast feature set and its prevalence in legitimate, day-to-day usage account for the continuing dominance of Cobalt Strike infrastructure, according to Greg Lesnewich, principal threat analyst at Recorded Future
“Cobalt Strike supports all phases of an intrusion via a deep capabilities set from both official and third-party developers and is highly configurable, making it a powerful tool for threat actors and red/purple teamers alike,” said Lesnewich.
“It is so frequently observed in intrusions that its use is almost ubiquitous, making it a bit more difficult to attribute or link activity together.”
The past year was also notable for initial access brokers setting up ready-to-use Cobalt Strike Team Servers and selling them on to clientele, a trend also identified by other researchers at Microsoft and RiskIQ.
The fall, and rise, of Emotet
Turning to botnets specifically, the Insikt Group’s analysis confirmed beyond all doubt that the takedown of Emotet on 27 January 2021 left a void in the loader and botnet market which others were quick to fill – notably TrickBot, with 571 C2s observed in the wild by the Insikt Group.
Other botnets taking up the slack were QakBot with 516 C2s detected, Bazar or Baza with 405, Dridex with 383 and IcedID with 332. All of them were seen acting as precursors to ransomware attacks, with TrickBot and Bazar linked to Ryuk and Conti, QakBot favoured by ProLock and DoppelPaymer, Dridex also heavily used in DoppelPaymer attacks, and IcedID linked to Egregor.
The various botnets exhibited considerable variance in how many embedded C2 servers they referenced, with Trickbot calling back to an average of 20 per sample configuration, IcedID and Dridex averaging three, and Qakbot averaging a massive 142 C2 IP addresses per configuration.
The resurgence of Emotet following its reactivation and distribution (via TrickBot initially) was one of the bigger cyber stories of the last few months of 2021, and since November, the Insikt Group has positively identified 40 Emotet C2s derived from samples taken both at the beginning and end of 2021, and additionally, 45 servers that share patterns that will likely be used by Emotet, and at least four which also host Dridex.
The analysts assess that the creation rate of Emotet infrastructure suggests its operators are intent on recapturing its former “glory”, which may be an entirely feasible goal, according to Lesnewich.
“Given how Emotet has evolved and restarted spamming en masse since it started back up, we believe it is likely for Emotet to be the dominant player in the market,” he said. “This may actually ease the burdens of other malware loaded by Emotet; instead of using multiple distributors or running spamming operations themselves, they can use Emotet’s expertise at getting large amounts of infections, and focus their efforts on later stages of the intrusion.”
He also noted that it was not really possible to assess whether or not the current operators were new, or the same ones who previously ran it.
Geographical indicators
Broken out by geography, the Insikt Group observed C2 infrastructure hosted in 130 countries, with 4,654 servers hosted in the US, 1,949 in China and 629 in Germany. Other leading locations included Hong Kong, Russia, France, Singapore, the Netherlands and the UK. It should be noted, however, that abused or malicious servers account for a very small percentage of the total number of autonomous system (AS) operators, which exceeds 60,000 globally.
C2 servers were hosted at more than 1,650 providers with the very largest the most abused – 20 AS operators had more than 100 C2 servers detected on them, with Digital Ocean, Choopa (aka The Constant Company) and Amazon the most frequently exploited, followed by Alibaba and Tencent, then OVH. It is important to understand this is no indication or implication of malice on the part of those providers.
“Many global providers take these threats seriously and rapidly take down controllers and malware distribution sites,” said Lesnewich. “What we don’t see in our data is how an actor purchases domains or rents/leases a server IP. It would be difficult for a hosting provider to refuse a paying customer service if they are not using the same details or payment method a previous customer that hosted malware did.”
However, it is possible to begin to understand which providers are turning a blind eye to or knowingly hosting malicious activity if one takes into account the percentage of total servers they host that are identified as C2 infrastructure.
Here, one finds the likes of Media Land, a Russia-based provider that is known to be marketed as a bulletproof hosting provider on the dark web – 5.69% of its hosts are C2 infrastructure. Other such providers include Brazil’s Lider Telecomunicaçoes Eireli, Germany’s Danilenko Artyom and the UK’s International Hosting Solutions.
C2 in ‘22
Looking ahead, the Insikt Group anticipates 2022 will see malicious actors pay more attention to hardening and obfuscating their infrastructure, having learned a hard lesson from the disruption caused to Emotet in 2021. This could include increased reliance on compromised devices, more regular recycling of infrastructure and the use of new, more resilient encryption.
Those using Cobalt Strike will also increasingly take up similar methods, the analysts predict, and there will likely be a notable drop in traffic from known scanning engines, and the employment of redirects to mask the server’s true location – this is probably already happening, they said.
The analysts also expect the C2 environment to further diversify this year, with new malware families and C2 frameworks that are “aware” of threat intelligence measures used to detect them. It is therefore likely that threat intel analysts may find their tools less efficacious in the short term, pending a renewed spurt of innovation among the good guys.
Why do this?
The Insikt Group has been tracking the creation and modification of new malicious infrastructure for a huge number of post-exploitation toolkits, malware and open source remote access trojans (RATs), and in the past five years has created detections for 80 families, including RATs, APT malware, botnets and other commodity tools.
This is important because identifying malicious infrastructure and how it is used can give defenders a clear edge when it comes to neutralising threats. This is because before a malicious actor can use a server they must first acquire it, either by compromising it or buying it legitimately. Then they need to go through a setup process during which they cannot help but leave behind digital fingerprints all over the server. Someone who can dust for those prints can therefore detect a malicious server before it has been used in any campaigns.
Identifying C2 servers also helps defenders quantify the scale of threat campaigns and comparing this data to actual incident reports allows one to understand how many cyber attacks are being caught and how many are not. Other data gathered, such as the tempo of server creation, brings further insight into pending surges, or lulls, in activity, or evidence of novel techniques and new intelligence.