Hackers create Cobalt Strike Beacon for Linux

Helga SmithSeptember 14, 2021Terakhir Diperbarui: September 18, 2021
344 2 menit dibaca

Experts from Intezer Lab discovered Vermilion Strike, a Linux-adapted variation of Cobalt Strike Beacon that hackers are already using in attacks against organizations around the world.

Cobalt Strike is a legitimate commercial tool created for pentesters and red teams, focused on exploitation and post-exploitation. Sayangnya, it has long been loved by hackers, from government APT groups to ransomware operators.

Although it is not available to ordinary users and the full version is priced at about $ 3,500 per install, attackers still find ways to use it (Misalnya, relying on old, pirated, jailbroken and unregistered versions). Jadi, according to Intel 471, Proofpoint Dan Recorded Future, Cobalt Strike has been hacked and pirated more than once in recent years. The researchers also calculated that in 2020, Cobalt Strike and Metasploit were present on 25% of the control servers of various hack groups.

Khas, criminals use Cobalt Strike for post-exploitation, after deploying so-called “beacons” that provide persistent remote access to compromised devices. Using beacons, hackers can gain access to compromised systems to collect data or deploy additional malware.

Namun, from a criminals’ point of view, Cobalt Strike has always had one flaw. The point is that it only supports Windows, not Linux. But, judging by the Intezer Lab report, this has now changed.

For the first time, researchers noticed a new implementation of the lighthouse in August of this year and gave this phenomenon the name Vermilion Strike. The company emphasizes that the Cobalt Strike ELF binary has not yet been detected by antivirus solutions.

Cobalt Strike ELF binary has not yet been detected

Basically, Vermilion Strike uses the same configuration format as Windows Beacon, it can communicate with all Cobalt Strike servers, however it does not use Cobalt Strike code. Worse, experts believe that the same developer rewrote the original Windows beacon to better avoid detection.
Once deployed on a compromised system, Vermilion Strike is capable of performing the following tasks:

  1. change the working directory;
  2. get the current working directory;
  3. attach / write to file;
  4. upload the file to the command and control server;
  5. execute the command via popen;
  6. get disk partitions;
  7. get a list of files.

Using telemetry provided by McAfee Enterprise ATR, the researchers figured out that Vermilion Strike has been used for attacks since August 2021. Criminals target a wide variety of companies and organizations, from telecoms and government agencies to IT companies, financial institutions and consulting firms around the world.

The sophistication of these attackers, their intent to engage in espionage, and the fact that this code has not previously been used in other attacks and was targeted at specific organizations, leads us to assume that this threat was created by an experienced attacker.Intezer Lab analysts said.

Izinkan saya mengingatkan Anda bahwa kita juga membicarakan fakta itu BIOPASS malware uses OBS Studio streaming software to record victim screens.

Tag
Helga SmithSeptember 14, 2021Terakhir Diperbarui: September 18, 2021
344 2 menit dibaca

Helga Smith

Saya selalu tertarik pada ilmu komputer, terutama keamanan data dan tema, yang disebut saat ini "ilmu data", sejak remaja awal saya. Sebelum masuk ke tim Penghapusan Virus sebagai Pemimpin Redaksi, Saya bekerja sebagai pakar keamanan siber di beberapa perusahaan, termasuk salah satu kontraktor Amazon. Pengalaman lain: Yang saya dapatkan adalah mengajar di universitas Arden dan Reading.

Tinggalkan Balasan

Situs ini menggunakan Akismet untuk mengurangi spam. Pelajari bagaimana data komentar Anda diproses.

Tombol kembali ke atas