Pierluigi Paganini September 14, 2021

Researchers discovered Linux and Windows implementations of the Cobalt Strike Beacon developed by attackers that were actively used in attacks in the wild.

Threat actors re-implemented from scratch unofficial Linux and Windows versions of the Cobalt Strike Beacon and are actively using them in attacks aimed at organizations worldwide.Cobalt Strike is a legitimate penetration testing tool designed as an attack framework for red teams (groups of security professionals who act as attackers on their own org’s infrastructure to discover security gaps and vulnerabilities.)

The Linux versions of the commercial post-exploitation tool was codenamed Vermilion Strike and according to Intezer researchers, that spotted it, is it fully undetected by vendors.

“In August 2021, we at Intezer discovered a fully undetected ELF implementation of Cobalt Strike’s beacon, which we named Vermilion Strike. The stealthy sample uses Cobalt Strike’s Command and Control (C2) protocol when communicating to the C2 server and has Remote Access capabilities such as uploading files, running shell commands and writing to files.” reads the analysis published by Intezer,

Intezer researchers reported that the Linux variant has been active in the wild since August, threat actors used it in attacks against telecom companies, government agencies, IT companies, financial institutions and advisory companies. 

The sample analyzed by the researchers was uploaded to VirusTotal from Malaysia and has a zero-rate detection in the platform at the time of this writing.

Researchers believe that Vermillon Strike was used in highly targeted attacks.

The technical analysis revealed that the ELF file uploaded on VisurTotal shares strings with Cobalt Strike samples and could be detected as malicious by using YARA rules for Cobalt Strike. The file is built on a Red Hat Linux distribution.

“It uses OpenSSL via dynamic linking. The shared object names for OpenSSL on Red Hat-based distributions are different from other Linux distributions. Because of this, it can only run on machines with Linux distribution based on Red Hat’s code base.” continues the analysis.

Upon installing the sample, the malware will run in the background using daemon and decrypt the configuration necessary for the beacon to function. The malware connects C2 primarily over DNS, to avoid detection, but it is also able to use HTTP.

“Vermilion Strike and other Linux threats remain a constant threat. The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets in order to navigate the existing environment. Linux threats often have low detection rates compared to their Windows counterparts due to reasons discussed in Why we Should be Paying More Attention to Linux Threats.” concludes the analysis. “Vermilion Strike is not the only Linux port of Cobalt Strike’s Beacon. Another example is the open-source project geacon, a Go-based implementation. Vermilion Strike may not be the last Linux implementation of Beacon.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Cobalt Strike)

[adrotate banner=”5″]

[adrotate banner=”13″]