Google Cloud Platform now automatically detects highly common ransomware dropper

google cloud logo on statue
(Image credit: Shutterstock)

Google Cloud has added new features for customers that protect against nearly all major versions of the widely abused CobaltStrike penetration testing tool.

Through the release of new open-sourced YARA rules, Google Cloud customers can now benefit from a wide selection of detection signatures for all versions of Cobalt Strike dating back to 2012.

Cobalt Strike is a legitimate, commercial penetration testing tool often used in red team cyber security training exercises.

It’s also widely cracked, shared, and abused by threat actors for intrusion and lateral movement in malicious real-world attacks.

The software suite comes pre-loaded with easy-to-execute hacking tools and is among the most widely used programs to conduct remote access attacks and drop malware payloads.

Google Cloud has added 165 detection signatures to scan more than 300 different Cobalt Strike binaries which are differentiated by unique JAR files, stagers, templates, and beacons.

“We are releasing to the community a set of open-source YARA rules and their integration as a VirusTotal Collection to help the community flag and identify Cobalt Strike’s components and its respective versions,” said Google Cloud in a blog post.

“Since many threat actors rely on cracked versions of Cobalt Strike to advance their cyber attacks, we hope that by disrupting its use we can help protect organisations, their employees, and their customers around the globe.”

Cobalt Strike is used by a wide range of hackers and has been involved in ransomware attacks from the likes of Ryuk and BlackCat, and has been involved in the dropping of the Raspberry Robin worm which, in turn, has been used to drop LockBit and Cl0p ransomware.

Google Cloud’s new YARA rules will help many of its customers automatically detect the use of Cobalt Strike and prevent attacks in their early stages, ideally before damaging malware can be deployed.


Cloud, infrastructure, and management

GigaOm Radar for alternatives to Amazon S3v2.0


These are the latest measures taken by the cloud platform in its ongoing efforts to make the cloud more secure as cyber criminals continue to target the points of greatest value to organisations.

Google Cloud extended its partnership with cyber security company MITRE earlier this year to develop open-sourced queries that aid threat hunting in cloud environments.

Through the release of YARA rules, the initiative aimed to make it easier for customers to proactively look for security threats, replacing what Google Cloud said is usually a complex task that requires deep knowledge of diverse security signals.

The ‘big three’ public cloud provider has also fortified its Chronicle platform this year, first through the February acquisition of Siemplify and again in August with the general availability of new threat detection capabilities.

The company also drew attention to the growing issue of cryptomining in enterprise cloud environments earlier this year.

It said cryptomining was an increasingly popular, financially-motivated attack on cloud customers and in more than half (58%) of cases the malware used was installed within 22 seconds of compromising the platform.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.