Hackers create Cobalt Strike Beacon for Linux

Experts from Intezer Lab discovered Vermilion Strike, a Linux-adapted variation of Cobalt Strike Beacon that hackers are already using in attacks against organizations around the world.

Cobalt Strike is a legitimate commercial tool created for pentesters and red teams, focused on exploitation and post-exploitation. Ongelukkig, it has long been loved by hackers, from government APT groups to ransomware operators.

Although it is not available to ordinary users and the full version is priced at about $ 3,500 per install, attackers still find ways to use it (byvoorbeeld, relying on old, pirated, jailbroken and unregistered versions). Dus, according to Intel 471, Proofpoint en Opgeneem Toekoms, Cobalt Strike has been hacked and pirated more than once in recent years. The researchers also calculated that in 2020, Cobalt Strike and Metasploit were present on 25% of the control servers of various hack groups.

Typically, criminals use Cobalt Strike for post-exploitation, after deploying so-called “beacons” that provide persistent remote access to compromised devices. Using beacons, hackers can gain access to compromised systems to collect data or deploy additional malware.

Egter, from a criminals’ point of view, Cobalt Strike has always had one flaw. The point is that it only supports Windows, not Linux. But, judging by the Intezer Lab report, this has now changed.

For the first time, researchers noticed a new implementation of the lighthouse in August of this year and gave this phenomenon the name Vermilion Strike. The company emphasizes that the Cobalt Strike ELF binary has not yet been detected by antivirus solutions.

Cobalt Strike ELF binary has not yet been detected

Basically, Vermilion Strike uses the same configuration format as Windows Beacon, it can communicate with all Cobalt Strike servers, however it does not use Cobalt Strike code. Worse, experts believe that the same developer rewrote the original Windows beacon to better avoid detection.
Once deployed on a compromised system, Vermilion Strike is capable of performing the following tasks:

  1. change the working directory;
  2. get the current working directory;
  3. attach / write to file;
  4. upload the file to the command and control server;
  5. execute the command via popen;
  6. get disk partitions;
  7. get a list of files.

Using telemetry provided by McAfee Enterprise ATR, the researchers figured out that Vermilion Strike has been used for attacks since August 2021. Criminals target a wide variety of companies and organizations, from telecoms and government agencies to IT companies, financial institutions and consulting firms around the world.

The sophistication of these attackers, their intent to engage in espionage, and the fact that this code has not previously been used in other attacks and was targeted at specific organizations, leads us to assume that this threat was created by an experienced attacker.Intezer Lab analysts said.

Laat ek jou herinner dat ons ook gepraat het oor die feit dat BIOPASS malware uses OBS Studio streaming software to record victim screens.

Helga Smith

Ek het altyd in rekenaarwetenskap belanggestel, veral datasekuriteit en die tema, wat deesdae genoem word "data wetenskap", sedert my vroeë tienerjare. Voordat u as hoofredakteur in die virusverwyderingspan kom, Ek het as 'n kuberveiligheidskenner in verskeie maatskappye gewerk, insluitend een van Amazon se kontrakteurs. Nog 'n ervaring: Ek het onderrig in Arden en Reading universiteite.

Los 'n antwoord

Hierdie webwerf gebruik Akismet om strooipos te verminder. Leer hoe jou opmerkingdata verwerk word.

Terug na bo-knoppie