How to Stop Ransomware: Preventing Cobalt Strike Backdoor Breaches

With an annual increase of over 161%, the malicious use of pirated versions of Cobalt Strike (a legitimate penetration testing tool) is skyrocketing. For organizations that still rely on signature-based next-generation antivirus (NGAV) solutions to protect their endpoints against ransomware and other advanced attacks, this is terrible news.

Developed in 2012 to give feather testers and red teams the ability to deliver hard-to-spot test attacks, Cobalt Strike is designed to be dynamic and evasive. Its purpose is to simulate the delivery and deployment of advanced malware. While these capabilities have made it an invaluable red team tool, malicious operators have hijacked various versions of Cobalt Strike, turning it into a devastating malware delivery platform that can lead to ransomware.

Over the years, we’ve seen cybercriminals use Cobalt Strike to facilitate a range of threats, including attacks on point of sale systems. In 2020, 66% of all ransomware attacks used Cobalt Strike. The platform was also used last year SolarWinds Attack. With the average ransom now exceeding $240,000 and remediation costs exceeding $4 million, a malicious Cobalt Strike attack can be devastating for any business.

The good news is that Cobalt Strike can’t escape Morphisec’s unique Moving Target Defense (MTD) technology. In this blog post, I’ll explain why Cobalt Strike is so dangerous, why NGAV solutions are unable to stop it, and how MTD can defeat these attacks – with reference to a recent investigation report from a Morphisec client.

Why NGAV solutions fail to stop Cobalt Strike

Looking at a typical Cobalt Strike attack chain, we can see how it passes standard organizational security checks.

Why NGAV solutions fail to stop Cobalt Strike

Threat actors use Cobalt Strike to take control of an endpoint or server while maintaining a very small footprint. Compared to installing a third-party remote login service like TeamViewer, Cobalt Strike allows nearly invisible remote access for malicious actors. Attacks using Cobalt Strike can originate from a variety of vectors ranging from phishing emails to known server vulnerabilities and misconfigurations.

The objective of any Cobalt Strike attack is the deployment of a post-exploit payload, known as a “Beacon”, to a compromised endpoint. While some Cobalt Strike attacks may involve executables such as DLL files or libraries installed on a targeted endpoint, most work by injecting malicious shellcode into legitimate processes. With Cobalt Strike payloads uniquely generated for specific victims and hidden in innocent processes and applications, anti-virus solutions who rely on recognizable malicious signatures cannot see or stop them.

Because Cobalt Strike shellcode can travel through named pipes used for inter-process communication within Windows and Unix machines, the malicious shellcode will remain invisible even when an antivirus or endpoint detection and response solution (EDR) uses a sandbox – unless configured to emulate named pipes (which is rare).

Although Cobalt Strike is a command and control (C2) framework, which means attacks rely on attackers establishing communication with clients installed on targeted machines, network traffic analysis is not a way to reliable way to find and stop Cobalt Strike beacons.

The reason is simple: the way Cobalt Strike exits the network is highly customizable and able to mimic traffic from legitimate applications. This feature of the Cobalt Strike Platform called “Malleable C2” allows attackers to tailor command and control (C2) traffic to the type of legitimate traffic likely to come from an uncompromised victim device. As a result, hackers can configure Cobalt Strike to blend in with background noise, making traffic-based detection much more difficult. Critically, the stagers (programs that can be used to download sections of the Beacon payload) that Cobalt Strike uses to download the Beacon payload primarily deploy in device memory. Therefore, this stage of an attack is completely hidden from antivirus solutions that do not scan device memory.

Once an individual endpoint has been compromised, Cobalt Strike is designed to allow attackers to move laterally within a victim’s network. Integrated with tools like Mimikatz, hackers can then use Cobalt Strike to search and exfiltrate credentials and execute commands remotely. All the while, since Cobalt Strike can use Named Pipe Pivot, only one endpoint needs to be connected to the outbound web – with the ability to communicate with threat actors – for a full suite of machines compromised is exploited.

During our incident response work, we have seen numerous examples of malicious actors exploiting vulnerabilities to allow additional lateral movement during Cobalt Strike attacks. We encountered misconfigured update servers, file storage servers, and even endpoint workstations acting as an exit point for outgoing communications.

On a practical level, Cobalt Strike is also a well-documented and readily available attack platform. This means that using hacked versions of it is relatively simple, even for intermediate threat actors.

The above factors make Cobalt Strike a very dangerous threat and one that NGAV solutions, as well as many Endpoint Protection Platforms (EPPs) and EDR products, may not be able to stop.

Moving Target Defense Beats Cobalt Strike


When misused by cybercriminals, Cobalt Strike is a huge threat that most organizations are ill-equipped to defend against. Nevertheless, although Cobalt Strike attacks are highly obfuscated and dynamic, not to mention their ability to evade signature-based solutions, stopping them IS STILL POSSIBLE.

Preventing Cobalt Strike attacks without draining resources requires a solution that continuously protects device memory and does not depend on repeated monitoring and analysis.

Proactive and autonomous, Morphisec does it thanks to our Moving Target Defense technology. This means that instead of playing hide and seek with an attack already in progress, our solutions transform device memory, lure and trap fileless and in-memory attacks like Cobalt Strike before deployment even happens. Critically, Morphisec can do this even with attacks that have already started before Morphisec was installed. For one of our clients in the financial sector, this capability became evident shortly after starting to work with us.

A Cobalt Strike Achievement

Our client, a highly reputable financial institution, quickly and easily installed Morphisec Guard’s lightweight agents on their endpoints. Four months later, Morphisec stopped a Cobalt Strike backdoor attempt that began before the installation of Morphisec Guard from Gootkit malware on one of the customer’s Windows 10 shared-access endpoints. A few days later, we accessed the device and performed a preliminary analysis on the persistence of the threat.

Here is what we found:

  • Morphisec Guard automatically prevented a persistent Cobalt Strike backdoor that ran every time a user logged into the compromised device. Dormant between login attempts, the backdoor had been in place on our client’s device since early August.
  • Since the attack began several weeks before Morphisec was installed, it was possible that attackers accessed the backdoor before our solution was in place.
  • Although the customer installed several market-leading NGAV solutions, including a suite of network and gateway solutions and an advanced EDR solution, none of them spotted the attack.
  • The backdoor was installed for three months without any signature updates to the customer’s NGAV or EDR solutions. It was only after Morphsiec detected, stopped, and shared details about this backdoor with the AV community that other solutions were able to update their signature libraries.

Since the client works in a highly regulated industry and it was possible that attackers had gained access to the backdoor between the time of infection, they may have had to invest more resources to estimate the risk created by this security flaw. Fortunately, Morphisec also offers a range of on-demand and on-demand services incident response offerings to help mitigate this risk. These services can be used whenever needed, as well as during deployment Morphisec’s moving target defense solution.

Ultimately, however, our customers’ experience not only shows that Morphisec’s unique moving target defense technology can prevent Cobalt Strike attacks, but also that our solutions can prevent persistent threats even if an endpoint or device server is already compromised. Morphisec takes the features that make Cobalt Strike dangerous, like its obfuscated shellcode, Malleable C2, and sideways movement, and makes them completely redundant. In this way, Morphisec can help prevent serious consequences resulting from a malicious Cobalt Strike attack that can lead to ransomware and other cybercrime damage.

Book a demo of Morphisec Guard

Comments are closed.