Hackers develop Linux port of Cobalt Strike for new attacks

Malware represented by red and blue digital binary code
(Image credit: Shutterstock)

Cyber criminals have developed a Linux port of the Cobalt Strike penetration testing tool that has been dubbed Vermilion Strike, security researchers have discovered.

The tool has been developed from scratch to avoid detection from malware scanners.

According to a report published by cloud security firm Intezer Labs, researchers last month discovered a fully undetected ELF implementation of Cobalt Strike’s beacon. The malware used Cobalt Strike’s Command and Control (C2) protocol when communicating to its C2 server and has remote access capabilities such as uploading files, running shell commands, and writing to files.

Cobalt Strike is a legitimate penetration testing tool used by security teams to discover vulnerabilities within their organization.

Researchers warned that the malware is completely undetected in VirusTotal and was uploaded from Malaysia. Intezer researchers Avigayil Mechtinger, Ryan Robinson and Joakim Kennedy said that this Linux threat has been active in the wild since August, predominantly targeting telecom companies, government agencies, IT companies, financial institutions, and advisory companies around the world.

They added that the targeting was limited in scope, suggesting that this malware is used in specific attacks rather than mass spreading.


X-Force Threat Intelligence Index

Top security threats and recommendations for resilience


Further analysis found Windows samples, using the same C2 server, which were also re-implementations of Cobalt Strike Beacon. Both Windows and Linux samples share the same functionalities. Once deployed, the malware can carry out tasks on a compromised Linux system such as changing working directory, getting the current working directory, appending/writing to file, uploading files to a C2 server, and more.

“The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor,” the researchers said, adding that Vermilion Strike and other Linux threats remain a constant threat.

“The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets in order to navigate the existing environment. Linux threats often have low detection rates compared to their Windows counterpart,” said researchers.

The rsearchers added that Vermilion Strike is not the only Linux port of Cobalt Strike’s Beacon and gave another example as the open source project geacon, a Go-based implementation.

“Vermilion Strike may not be the last Linux implementation of Beacon,” they warned.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.