The ASEC analysis team is monitoring attacks that utilize the Cobalt Strike hacking tool. In this article, the team will examine the latest Cobalt Strike attacks which were confirmed after the publishing of the past article that introduced the Cobalt Strike hacking tool.
An attack confirmed on April 23 revealed that the Cobalt Strike beacon was run by the process that possesses the command line shown below. Cobalt Strike threat actors usually designate and run the normal process after giving it a specific parameter, and then inject the actual backdoor beacon to disguise the attack as a normal process. This is a feature that is actually supported by the Cobalt Strike hacking tool.