Security News > 2021 > October > Recycled Cobalt Strike key pairs show many crooks are using same cloned installation
Around 1,500 Cobalt Strike beacons uploaded to VirusTotal were reusing the same RSA keys from a cracked version of the software, according to a security researcher who pored through the malware repository.
Didier Stevens, the researcher with Belgian infosec firm NVISO who discovered that private Cobalt Strike keys are being widely reused by criminals, told The Register: "While fingerprinting Cobalt Strike servers on the internet, we noticed that some public keys appeared often. The fact that there is a reuse of public keys means that there is a reuse of private keys too: a public key and a private key are linked to each other."
Around 25 per cent of Cobalt Strike samples observed by Stevens used a single shared key pair, he said.
Stevens' discovery came about after he searched Google-owned malware repository VirusTotal for files containing Cobalt Strike key file,.
Legitimate installations of Cobalt Strike generate their own RSA key pair on first run of the server software, Stevens told El Reg.
Svajcer added: "The good news is that any Cobalt Strike communication using these known keys can be outright blocked as malicious. However, one could argue that any detected Cobalt Strike communication, even the one using 'legitimate' keys, should be immediately blocked as it indicates a potentially serious breach of a network."