An international law enforcement operation, code-named Operation Morpheus, aimed at combatting the criminal abuse of an older, unlicensed version of the Cobalt Strike<\/a> red teaming tool.<\/p>\n\n\n\n
The Cobalt Strike platform was developed for Adversary Simulations and Red Team Operations, currently provided by the cybersecurity software company Fortra. It has\u00a0also become popular among threat actors<\/a>\u00a0over the past years, including\u00a0APT29<\/a>,\u00a0FIN7<\/a>, RYUK<\/a>, Trickbot<\/a> and Conti<\/a>.
“Fortra has taken significant steps to prevent the abuse of its software and has partnered with law enforcement throughout this investigation to protect the legitimate use of its tools. However, in rare circumstances, criminals have stolen older versions of Cobalt Strike, creating cracked copies to gain backdoor access to machines and deploy malware. Such unlicensed versions of the tool have been connected to multiple malware and ransomware investigations, including those into RYUK, Trickbot and Conti.
The Microsoft DCU secured a\u00a0court order<\/a>\u00a0in the U.S. to remove cracked versions of Cobalt Strike (\u201crefer to stolen, unlicensed, or otherwise unauthorized versions or copies of the tool\u201d) so they can no longer be used by cybercriminals.
\u201cMore specifically, cracked versions of Cobalt Strike allow Defendants to gain control of their victim\u2019s machine and move laterally through the connected network to find other victims and install malware. This includes installing ransomware like Conti<\/a>, LockBit<\/a>, Quantum Locker, Royal, Cuba, BlackBasta<\/a>, BlackCat and PlayCrypt, to arrest access to the systems. In essence, Defendants are able to leverage cracked versions of Cobalt Strike to brutally force their way into victim machines and deploy malware.\u201d reads the court order<\/strong><\/a>. \u201cAdditionally, once the Defendants deploy the malware or ransomware onto computers running Microsoft\u2019s Window operating system, Defendants are able to execute a series of actions involving abuse of Microsoft\u2019s copyrighted declaring code.\u201d<\/em><\/p>\n\n\n\n