Hackers create Cobalt Strike Beacon for Linux

Experts from Intezer Lab discovered Vermilion Strike, a Linux-adapted variation of Cobalt Strike Beacon that hackers are already using in attacks against organizations around the world.

Cobalt Strike is a legitimate commercial tool created for pentesters and red teams, focused on exploitation and post-exploitation. 不幸, it has long been loved by hackers, from government APT groups to ransomware operators.

Although it is not available to ordinary users and the full version is priced at about $ 3,500 per install, attackers still find ways to use it (例如, relying on old, pirated, jailbroken and unregistered versions). 所以, according to Intel 471, ProofpointRecorded Future, Cobalt Strike has been hacked and pirated more than once in recent years. The researchers also calculated that in 2020, Cobalt Strike and Metasploit were present on 25% of the control servers of various hack groups.

通常, criminals use Cobalt Strike for post-exploitation, after deploying so-called “beacons” that provide persistent remote access to compromised devices. Using beacons, hackers can gain access to compromised systems to collect data or deploy additional malware.

然而, from a criminals’ point of view, Cobalt Strike has always had one flaw. The point is that it only supports Windows, not Linux. But, judging by the Intezer Lab report, this has now changed.

For the first time, researchers noticed a new implementation of the lighthouse in August of this year and gave this phenomenon the name Vermilion Strike. The company emphasizes that the Cobalt Strike ELF binary has not yet been detected by antivirus solutions.

Cobalt Strike ELF binary has not yet been detected

Basically, Vermilion Strike uses the same configuration format as Windows Beacon, it can communicate with all Cobalt Strike servers, however it does not use Cobalt Strike code. Worse, experts believe that the same developer rewrote the original Windows beacon to better avoid detection.
Once deployed on a compromised system, Vermilion Strike is capable of performing the following tasks:

  1. change the working directory;
  2. get the current working directory;
  3. attach / write to file;
  4. upload the file to the command and control server;
  5. execute the command via popen;
  6. get disk partitions;
  7. get a list of files.

Using telemetry provided by McAfee Enterprise ATR, the researchers figured out that Vermilion Strike has been used for attacks since August 2021. Criminals target a wide variety of companies and organizations, from telecoms and government agencies to IT companies, financial institutions and consulting firms around the world.

The sophistication of these attackers, their intent to engage in espionage, and the fact that this code has not previously been used in other attacks and was targeted at specific organizations, leads us to assume that this threat was created by an experienced attacker.Intezer Lab analysts said.

Let me remind you that we also talked about the fact that BIOPASS malware uses OBS Studio streaming software to record victim screens.

黑尔加·史密斯

我一直對電腦科學感興趣, 尤其是數據安全和主題, 而家被稱為 "數據科學", 由我十幾歲開始. 在進入病毒清除團隊擔任主編之前, 我曾喺多傢公司擔任網絡安全專家, 包括亞馬遜嘅承包商之一. 另一種體驗: 我在雅頓大學同雷丁大學任教.

留言

本網站使用Akismet嚟減垃圾郵件. 瞭解如何處理評論數據.

“返回頂部”按鈕