An unofficial Cobalt Strike Beacon Linux model made by unknown risk actors from scratch has been noticed by safety researchers whereas actively utilized in assaults concentrating on organizations worldwide.
Cobalt Strike is a authentic penetration testing software designed as an assault framework for crimson groups (teams of safety professionals who act as attackers on their very own org’s infrastructure to find safety gaps and vulnerabilities.)
Cobalt Strike can also be utilized by risk actors (generally dropped in ransomware assaults) for post-exploitation duties after deploying so-called beacons, which offer persistent distant entry to compromised units. Utilizing beacons, attackers can later entry breached servers to reap information or deploy additional malware payloads.
Over time, cracked copies of Cobalt Strike have been obtained and shared by risk actors, turning into probably the most frequent instruments utilized in cyberattacks resulting in information theft and ransomware. Nevertheless, Cobalt Strike has all the time had a weak point — it solely helps Home windows units and doesn’t embody Linux beacons.
In a new report by security firm Intezer, researchers clarify how risk actors have taken it upon themselves to create their Linux beacons suitable with Cobalt Strike. Utilizing these beacons, risk actors can now achieve persistence and distant command execution on each Home windows and Linux machines.
Totally undetected in VirusTotal
Intezer researchers, who first noticed the beacon re-implementation in August and dubbed it Vermilion Strike, mentioned that the Cobalt Strike ELF binary [VirusTotal] they found is presently absolutely undetected by anti-malware options.
Vermilion Strike comes with the identical configuration format because the official Home windows beacon and may converse with all Cobalt Strike servers, however does not use any of Cobalt Strike’s code.
This new Linux malware additionally options technical overlaps (the identical performance and command-and-control servers) with Home windows DLL information hinting on the identical developer.
“The stealthy pattern makes use of Cobalt Strike’s Command and Management (C2) protocol when speaking to the C2 server and has Distant Entry capabilities equivalent to importing information, operating shell instructions and writing to information,” Intezer mentioned.
“The malware is absolutely undetected in VirusTotal on the time of this writing and was uploaded from Malaysia.”
Vermilion Strike can carry out the next duties as soon as deployed on a compromised Linux system:
- Change working listing
- Get present working listing
- Append/write to file
- Add file to C2
- Execute command through popen
- Get disk partitions
- Listing information
Deployed in ongoing assaults since August
Utilizing telemetry information offered by McAfee Enterprise ATR, Intezer additionally discovered a number of orgs focused utilizing Vermilion Strike since August 2021 from varied trade sectors starting from telecom firms and authorities businesses to IT firms, monetary establishments, and advisory firms worldwide.
It is also price mentioning that Vermilion Strike is just not the primary or solely port of Cobalt Strike’s Beacon to Linux, with geacon, an open-source Go-based implementation, publicly out there for the final two years.
Nevertheless, as Intezer instructed BleepingComputer, “that is the primary Linux implementation that has been used for actual assaults.” Sadly, there isn’t a data on the preliminary assault vector the attackers use to focus on Linux methods.
“The sophistication of this risk, its intent to conduct espionage, and the truth that the code hasn’t been seen earlier than in different assaults, along with the truth that it targets particular entities within the wild, leads us to consider that this risk was developed by a talented risk actor,” Intezer concluded.