A Version of Linux Cobalt Strike Beacon Is Being Used in Ongoing Attacks
This Is an Unofficial Version Created by Unknown Threat Actors from Scratch.
Security researchers discovered an unauthorized Cobalt Strike Beacon Linux version used in attacks against companies all across the world.
Cobalt Strike is a legitimate penetration testing tool created as an attack framework for red teams (security professionals who act as attackers against their own organization’s infrastructure in an attempt to find security flaws and vulnerabilities.)
Cobalt Strike is also used by threat actors for post-exploitation activities after distributing so-called beacons, which allow continuous remote access to compromised devices (often exploited in ransomware campaigns).
Attackers can afterward utilize beacons to connect directly to compromised systems and gather data or distribute further malware payloads.
In time, threat actors obtained and disseminated cracked versions of Cobalt Strike, making it one of the most prevalent tools used in assaults involving data theft and ransomware.
Cobalt Strike has always had a flaw: it only works with Windows devices and does not support Linux beacons.
Researchers describe how threat actors have taken it upon themselves to make their Linux beacons compatible with Cobalt Strike in a new study from security firm Intezer.
The threat actors may now acquire permanence and remote command execution on both Windows and Linux devices by using these beacons.
The Cobalt Strike ELF binary found by Intezer researchers, who first saw the beacon re-implementation in August and called it Vermilion Strike, is currently undetectable by anti-malware solutions.
Vermilion Strike uses the same configuration format as the official Windows beacon and can communicate with all Cobalt Strike servers.
Technical similarities (the same functionality and command-and-control servers) between this new Linux virus and Windows DLL files point to the same creator.
The stealthy sample uses Cobalt Strike’s Command and Control (C2) protocol when communicating to the C2 server and has Remote Access capabilities such as uploading files, running shell commands and writing to files.The malware is fully undetected in VirusTotal at the time of this writing and was uploaded from Malaysia.
Vermilion Strike is apparently able to perform the following tasks once deployed on a compromised Linux system:
- Change working directory
- Get current working directory
- Append/write to file
- Upload file to C2
- Execute command via popen
- Get disk partitions
- List files
Vermilion Strike Attacks Started in August 2021
Intezer identified multiple organizations targeted using Vermilion Strike since August 2021 using telemetry data provided by McAfee Enterprise ATR, ranging from telecom companies and government agencies to IT companies, financial institutions, and consultancy firms around the world.
Vermilion Strike isn’t the first or only conversion of Cobalt Strike’s Beacon to Linux, as geacon, an open-source Go-based equivalent, has been publicly accessible for the last two years.
This is the first Linux implementation that has been utilized for genuine assaults.
The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor.