Hackers develop Linux port of Cobalt Strike for new attacks
The modified version of the penetration testing toolkit can evade malware detection
The tool has been developed from scratch to avoid detection from malware scanners.
According to a report published by cloud security firm Intezer Labs, researchers last month discovered a fully undetected ELF implementation of Cobalt Strike’s beacon. The malware used Cobalt Strike’s Command and Control (C2) protocol when communicating to its C2 server and has remote access capabilities such as uploading files, running shell commands, and writing to files.
Cobalt Strike is a legitimate penetration testing tool used by security teams to discover vulnerabilities within their organization.
Researchers warned that the malware is completely undetected in VirusTotal and was uploaded from Malaysia. Intezer researchers Avigayil Mechtinger, Ryan Robinson and Joakim Kennedy said that this Linux threat has been active in the wild since August, predominantly targeting telecom companies, government agencies, IT companies, financial institutions, and advisory companies around the world.
They added that the targeting was limited in scope, suggesting that this malware is used in specific attacks rather than mass spreading.
X-Force Threat Intelligence Index
Top security threats and recommendations for resilienceFree download
Further analysis found Windows samples, using the same C2 server, which were also re-implementations of Cobalt Strike Beacon. Both Windows and Linux samples share the same functionalities. Once deployed, the malware can carry out tasks on a compromised Linux system such as changing working directory, getting the current working directory, appending/writing to file, uploading files to a C2 server, and more.
“The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor,” the researchers said, adding that Vermilion Strike and other Linux threats remain a constant threat.
“The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets in order to navigate the existing environment. Linux threats often have low detection rates compared to their Windows counterpart,” said researchers.
The rsearchers added that Vermilion Strike is not the only Linux port of Cobalt Strike’s Beacon and gave another example as the open source project geacon, a Go-based implementation.
“Vermilion Strike may not be the last Linux implementation of Beacon,” they warned.
The definitive guide to warehouse efficiency
Get your free guide to creating efficiencies in the warehouseFree download
The total economic impact™ of Datto
Cost savings and business benefits of using Datto Integrated SolutionsDownload now
Three-step guide to modern customer experience
Support the critical role CX plays in your businessFree download
The global state of the channelDownload now