This forum thread needs a solution.
Kudos1 Stats

Cobalt Strike Beacon

Today (12th January '23) a threatening, but ultimately impotent email sender, sent a message to me demanding money (or BitCoin to be precise).  After some thought and investigation I blocked both the user and their domain in my email client and also by using Norton 360.

I am confident that this was both a phishing attempt and blackmail, as some of the claims that the user made about my computer usage, (which they threatened to reveal to my contacts, if I didn't pay up), were patently untrue!

Since the message was rather long, I will only summarise what they said (or claimed) , (my comments in parentheses..):

  1. They claimed to have access to my devices, which I use for internet browsing - (they didn't actually identify the devices, which you would have thought they would know, as they claimed to have hacked into them!).
  2. They stated that they had bought access to my email accounts from hackers (However, all that they actually did was to send me this rather obnoxious, threatening message!).  Anyone can send spam email to a large number of email addresses without having access to the relevant accounts, which is why I describe this as phishing - they try to get you to respond...!
  3. They claimed to have installed software called Cobalt Strike "Beacon" on all my devices, making the claim that it wasn't hard at all and then (wait for it!) their pompous claim was "All ingenious is simple. :). (!!). (2 comments: a. Norton Power Eraser  found no such software, but they try to make you believe that it can't be detected as "it continuously refreshes the signatures (it is driver-based) and hence remains invisible for antivirus software". This they allege is why it hasn't been detected until the sender told me about it!  However Its far more likely that the software is not on my devices and this is simply their feeble attempt to convince me that "resistance is useless" - to quote the Vogons in "The Hitchikers Guide to the Galaxy" (© Douglas Adams). b. So I am left wondering who exactly is being ingenious!??  Clearly NOT the sender of this rather rude, threatening message!!) 
  4. The sender claims to have gotten access to all of my devices and content and downloaded all sorts of of it.  (Once again, no evidence has been provided, that they actually have accomplished this..!).
  5. They then claim that I like to visit porn websites and commit filthy acts which are recorded on videos. (Here they make a completely untrue claim and so 'give the game away'!!  This is proof that all that they have claimed so far is untrue/lies/fabrications).  They threaten to share all of this supposed content with all of my contacts, and so humiliate me.  (Which of course they won't do as it is all made up!!)
  6. What follows is a clear attempt at blackmail, they quote GDPR rules which could result in  a heavy fine or arrest.  This is unless I pay the sender 12.5 Bitcoin.  If I do then all the software which they installed on my devices will be deleted.  

Clearly most of what the sender has stated is untrue and merely an attempt to blackmail me into parting with money/BitCoin.  All that they really know is my email address (which won't get them very far!). There is no guarantee that they won't try again if I did pay them - which is precisely what I won't do anyway.

How should anyone respond if they receive an email like this? 

  • Block the sender - at both domain and username levels.
  • Don't respond to them - even if only to mock their crazy claims and threats.  They like to know if you are worried about what they have written, so don't give them that pleasure!
  • Don't pay up..!
  • Do share the email with friends, if only to have a good laugh about it.  You may not want to share if their claim about porn is true, but the sender will claim this as it can apply to both guys and girls..
  • Virus check your devices using Norton Power Eraser if applicable or any of the antivirus checks that Norton supply for mobile devices.
  • Do search for topics such as Cobalt Strike "Beacon".  When I did this I saw a response by a Microsoft independent advisor who advised steps such as scanning devices and reporting the originator of the message.
  • Change your email passwords - at regular intervals.  Government departments force users on their systems to change passwords on a monthly basis and then it has to be in approved format and strong..  This was the final bit of patronising, obnoxious advice that the sender wrote that makes sense!!
  • Finally  Do share the whole incident on these community forums.   

So my questions are:  Is it true that Cobalt Strike "Beacon" can't be detected or is this just a scare tactic? If it can't be detected then is Norton Power Eraser not able to detect it or what?

I am using Norton 360 version on Windows 10 Home

I look forward to any input or replies about this.