Hackers develop Cobalt Strike Linux port for further attacks
Cybercriminals have developed a Linux port of the Cobalt Strike penetration testing tool that has been dubbed Vermilion Strike, security researchers have found.
The tool was developed from scratch to avoid detection by malware scanners.
According to a report released by cloud security firm Intezer Labs, researchers last month discovered a completely undetected ELF implementation of the Cobalt Strike beacon. The malware used Cobalt Strike’s Command and Control (C2) protocol when communicating with its C2 server and has remote access capabilities such as downloading files, executing shell commands, and writing to files.
Cobalt Strike is a legitimate penetration testing tool used by security teams to discover vulnerabilities within their organization.
Researchers warned that the malware was completely undetected in VirusTotal and had been downloaded from Malaysia. Intezer researchers Avigayil Mechtinger, Ryan Robinson and Joakim Kennedy said this Linux threat has been active in the wild since August, primarily targeting telecommunications companies, government agencies, IT companies, financial institutions and corporations. advice from around the world.
They added that the targeting was limited in scope, suggesting that this malware is used in specific attacks rather than mass spread.
X-Force Threat Intelligence Index
Top security threats and recommendations for resilience
Further analysis found Windows samples, using the same C2 server, which were also reimplementations of Cobalt Strike Beacon. The Windows and Linux samples share the same functionality. Once deployed, the malware can perform tasks on a compromised Linux system, such as changing the working directory, getting the current working directory, adding / writing to a file, uploading files to a C2 server, etc.
“The sophistication of this threat, its intention to carry out espionage and the fact that the code has never been seen before in other attacks, as well as the fact that it targets specific entities in the wild, we suggests that this threat was developed by a skilled threat actor, ”the researchers said, adding that Vermilion Strike and other Linux threats remain a constant threat.
“The predominance of Linux servers in the cloud and its continued growth is prompting APTs to modify their tools to navigate the existing environment. Linux threats often have low detection rates compared to their Windows counterparts, ”the researchers said.
The researchers added that Vermilion Strike is not the only Linux port of Cobalt Strike’s Beacon and gave another example like the open source project geacon, a Go-based implementation.
“Vermilion Strike may not be Beacon’s latest Linux implementation,” they warned.
Defeat Ransomware with Unified Security from WatchGuard
How SMBs Can Defend Against Ransomware Attacks
The IT expert’s guide to AI and content management
How artificial intelligence and machine learning could be essential for your business
The path to CX excellence
Four Steps to Thriving in the Experience Economy
Become an experience-based business
Your model for a solid digital foundation