Hackers develop Linux port of Cobalt Strike for new attacks

The modified version of the penetration testing toolkit can evade malware detection

Cyber criminals have developed a Linux port of the Cobalt Strike penetration testing tool that has been dubbed Vermilion Strike, security researchers have discovered.

The tool has been developed from scratch to avoid detection from malware scanners.

According to a report published by cloud security firm Intezer Labs, researchers last month discovered a fully undetected ELF implementation of Cobalt Strike’s beacon. The malware used Cobalt Strike’s Command and Control (C2) protocol when communicating to its C2 server and has remote access capabilities such as uploading files, running shell commands, and writing to files. 

Cobalt Strike is a legitimate penetration testing tool used by security teams to discover vulnerabilities within their organization.

Researchers warned that the malware is completely undetected in VirusTotal and was uploaded from Malaysia. Intezer researchers Avigayil Mechtinger, Ryan Robinson and Joakim Kennedy said that this Linux threat has been active in the wild since August, predominantly targeting telecom companies, government agencies, IT companies, financial institutions, and advisory companies around the world.

They added that the targeting was limited in scope, suggesting that this malware is used in specific attacks rather than mass spreading.

Related Resource

X-Force Threat Intelligence Index

Top security threats and recommendations for resilience

Transparent cube against a black background - whitepaper from IBMFree download

Further analysis found Windows samples, using the same C2 server, which were also re-implementations of Cobalt Strike Beacon. Both Windows and Linux samples share the same functionalities. Once deployed, the malware can carry out tasks on a compromised Linux system such as changing working directory, getting the current working directory, appending/writing to file, uploading files to a C2 server, and more.

“The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor,” the researchers said, adding that Vermilion Strike and other Linux threats remain a constant threat. 

“The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets in order to navigate the existing environment. Linux threats often have low detection rates compared to their Windows counterpart,” said researchers.

The rsearchers added that Vermilion Strike is not the only Linux port of Cobalt Strike’s Beacon and gave another example as the open source project geacon, a Go-based implementation. 

“Vermilion Strike may not be the last Linux implementation of Beacon,” they warned.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

How the right software can improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

Russia's "politically motivated" REvil raid could be used as leverage, experts warn
ransomware

Russia's "politically motivated" REvil raid could be used as leverage, experts warn

17 Jan 2022
Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp
phishing

Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp

21 Dec 2021
Five things to consider before choosing an MFA solution
Security

Five things to consider before choosing an MFA solution

17 Dec 2021
Australia and US sign CLOUD Act data-sharing deal to support criminal investigations
cyber crime

Australia and US sign CLOUD Act data-sharing deal to support criminal investigations

16 Dec 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022