IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers develop Linux port of Cobalt Strike for new attacks

The modified version of the penetration testing toolkit can evade malware detection

Cyber criminals have developed a Linux port of the Cobalt Strike penetration testing tool that has been dubbed Vermilion Strike, security researchers have discovered.

The tool has been developed from scratch to avoid detection from malware scanners.

According to a report published by cloud security firm Intezer Labs, researchers last month discovered a fully undetected ELF implementation of Cobalt Strike’s beacon. The malware used Cobalt Strike’s Command and Control (C2) protocol when communicating to its C2 server and has remote access capabilities such as uploading files, running shell commands, and writing to files. 

Cobalt Strike is a legitimate penetration testing tool used by security teams to discover vulnerabilities within their organization.

Researchers warned that the malware is completely undetected in VirusTotal and was uploaded from Malaysia. Intezer researchers Avigayil Mechtinger, Ryan Robinson and Joakim Kennedy said that this Linux threat has been active in the wild since August, predominantly targeting telecom companies, government agencies, IT companies, financial institutions, and advisory companies around the world.

They added that the targeting was limited in scope, suggesting that this malware is used in specific attacks rather than mass spreading.

Related Resource

X-Force Threat Intelligence Index

Top security threats and recommendations for resilience

Transparent cube against a black background - whitepaper from IBMFree download

Further analysis found Windows samples, using the same C2 server, which were also re-implementations of Cobalt Strike Beacon. Both Windows and Linux samples share the same functionalities. Once deployed, the malware can carry out tasks on a compromised Linux system such as changing working directory, getting the current working directory, appending/writing to file, uploading files to a C2 server, and more.

“The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor,” the researchers said, adding that Vermilion Strike and other Linux threats remain a constant threat. 

“The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets in order to navigate the existing environment. Linux threats often have low detection rates compared to their Windows counterpart,” said researchers.

The rsearchers added that Vermilion Strike is not the only Linux port of Cobalt Strike’s Beacon and gave another example as the open source project geacon, a Go-based implementation. 

“Vermilion Strike may not be the last Linux implementation of Beacon,” they warned.

Featured Resources

Three ways manual coding is killing your business productivity

...and how you can fix it

Free Download

Goodbye broadcasts, hello conversations

Drive conversations across the funnel with the WhatsApp Business Platform

Free Download

Winning with multi-cloud

How to drive a competitive advantage and overcome data integration challenges

Free Download

Talking to a business should feel like messaging a friend

Managing customer conversations at scale with the WhatsApp Business Platform

Free Download

Recommended

Facilitating Fintech
Whitepaper

Facilitating Fintech

5 Oct 2022
Best security systems for business
cyber security

Best security systems for business

4 Oct 2022
Frontpoint review
cyber security

Frontpoint review

4 Oct 2022
Vivint review
cyber security

Vivint review

4 Oct 2022

Most Popular

Vodafone UK confirms talks to merge with Three are underway
mergers and acquisitions

Vodafone UK confirms talks to merge with Three are underway

3 Oct 2022
BT's new platform promises to slash AI development time from months to days
artificial intelligence (AI)

BT's new platform promises to slash AI development time from months to days

3 Oct 2022
How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022