back to article Recycled Cobalt Strike key pairs show many crooks are using same cloned installation

Around 1,500 Cobalt Strike beacons uploaded to VirusTotal were reusing the same RSA keys from a cracked version of the software, according to a security researcher who pored through the malware repository. The discovery could make blue teams' lives easier by giving them a clue about whether or not Cobalt Strike traffic across …

  1. Version 1.0 Silver badge

    Here's a complete list of unhackable software

    err ...

  2. steviebuk Silver badge

    This is why...

    ...I was recently told by a software vendor (in their T&C) when testing their new AV to "Not upload their installer to VirusTotal". I thought that was suspicious so asked why not. Turns out, which I never knew and then confirmed when I looked it up (and mentioned in this article). Anyone with a specific subscription and varified by VirusTotal, can download anything that is submitted to VirusTotal. The AV vendor doesn't want the software contained in the installer getting into the hands of competitors (probably still a poor argument as if their competitor wanted to do that. They'd just pretend to be a fake customer).

    1. Clausewitz 4.0
      Devil

      Re: This is why...

      .. Or maybe they just didn't have added yet the anti-debug tricks, obfuscation, encryption to their Anti-Virus code.

      It used to be surprisingly simple to "patch" AV code in memory in the 90's to avoid samples scanning. Nowadays, generally speaking, a bit harder. With windows defender, a bit easier.

  3. Eclectic Man Silver badge
    Facepalm

    Google-owned

    I really must read things more carefully. When I saw "... Google-owned malware repository VirusTotal ..." I wondered what on Earth Google was doing owning malware, and isn't that illegal?

    1. Tomato42
      Stop

      Re: Google-owned

      Owning malware shouldn't be illegal, just like having knives shouldn't be illegal.

      Using it is whole different matter.

    2. Anonymous Coward
      Anonymous Coward

      Re: Google-owned

      As this article from a few days ago mentions:

      https://www.theregister.com/2021/10/22/russian_crims_lured_youtubers_with/

      there's plenty of malware available on github.

  4. Anonymous Coward
    Anonymous Coward

    "buying a legitimate copy to crack wouldn't even register as a cost of doing business"

    No, but unless the company accepts payment in Bitcoin for orders placed over Tor, they risk leaving a paper trail back to the purchaser.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021