Hackers create Cobalt Strike Beacon for Linux

Experts from Intezer Lab discovered Vermilion Strike, a Linux-adapted variation of Cobalt Strike Beacon that hackers are already using in attacks against organizations around the world.

Cobalt Strike is a legitimate commercial tool created for pentesters and red teams, focused on exploitation and post-exploitation. за жалост, it has long been loved by hackers, from government APT groups to ransomware operators.

Although it is not available to ordinary users and the full version is priced at about $ 3,500 per install, attackers still find ways to use it (например, relying on old, pirated, jailbroken and unregistered versions). Така, according to Intel 471, Proofpoint и Recorded Future, Cobalt Strike has been hacked and pirated more than once in recent years. The researchers also calculated that in 2020, Cobalt Strike and Metasploit were present on 25% of the control servers of various hack groups.

Типично, criminals use Cobalt Strike for post-exploitation, after deploying so-called “beacons” that provide persistent remote access to compromised devices. Using beacons, hackers can gain access to compromised systems to collect data or deploy additional malware.

въпреки това, from a criminals’ point of view, Cobalt Strike has always had one flaw. The point is that it only supports Windows, not Linux. But, judging by the Intezer Lab report, this has now changed.

For the first time, researchers noticed a new implementation of the lighthouse in August of this year and gave this phenomenon the name Vermilion Strike. The company emphasizes that the Cobalt Strike ELF binary has not yet been detected by antivirus solutions.

Basically, Vermilion Strike uses the same configuration format as Windows Beacon, it can communicate with all Cobalt Strike servers, however it does not use Cobalt Strike code. Worse, experts believe that the same developer rewrote the original Windows beacon to better avoid detection.
Once deployed on a compromised system, Vermilion Strike is capable of performing the following tasks:

1. change the working directory;
2. get the current working directory;
3. attach / write to file;
4. upload the file to the command and control server;
5. execute the command via popen;
6. get disk partitions;
7. get a list of files.

Using telemetry provided by McAfee Enterprise ATR, the researchers figured out that Vermilion Strike has been used for attacks since August 2021. Criminals target a wide variety of companies and organizations, from telecoms and government agencies to IT companies, financial institutions and consulting firms around the world.

Let me remind you that we also talked about the fact that BIOPASS malware uses OBS Studio streaming software to record victim screens.