Linux Version of Cobalt Strike Malware Targets Organization Worldwide

The cybersecurity researchers have recently detected a Linux and Windows re-implementation of Cobalt Strike Beacon that has an eye to target the government, telecommunications, information technology, and financial institutions.

Cobalt Strike is a true penetration testing tool that is specifically created as an attack framework for red teams. However, in August 2021, the researchers at Intezer has found a fully undetected ELF implementation of Cobalt Strike’s beacon, which has been named Vermilion Strike. 


As per the reports, the Vermilion generally uses Cobalt Strike’s Command and Control (C2) protocol while talking to the C2 server and it also has Remote Access abilities like uploading files, running shell commands, and drafting to files. 

Linux File & Initialization

Cobalt Strike‘s file was uploaded to VirusTotal from Malaysia and after a proper investigation, the security analysts came to know that there were no detections in VirusTotal noted at that time. 

Not only this but this particular file shares strings with earlier seen Cobalt Strike samples and at the same time it triggers a number of YARA rules which generally detect encoded Cobalt Strike configurations.

Apart from all these, there is some sample that starts by binding itself to run in the background just sing daemon. However, the key 0x69 is quite a common value that is generally used in Cobalt Strike’s encrypted configuration.

But the experts pronounced that the Vermilion Strike’s configuration format is the same as Cobalt Strike, and the tools that were used for excerpting Cobalt Strike configurations can also be utilized to elicit Vermilion Strike configuration.

Fully Undetected in VirusTotal

The Vermilion Strike of the Cobalt Strike ELF binary that has been detected is currently fully undetected by anti-malware solutions.

Not only this but this new Linux malware also has the features of technical overlaps along with Windows DLL files that are continuously hinting at the same developer.

Tasks That the Beacon can Perform

Here’s the list of tasks that the beacon can perform or execute mentioned below:-

  • Change working directory
  • Get current working directory
  • Append/write to file
  • Upload file to C2
  • Execute command via popen
  • Get disk partitions
  • List files

This kind of threat remains a constant threat, and the researchers claimed that the predominance of Linux servers in the cloud and its continued increase invites APTs to adjust their toolsets so that they can navigate the existing environment.

Moreover, they also affirmed that this is the first Linux implementation that has been applied for real attacks. But, unfortunately, there is no specific information on the original attack vector that the threat actors use to target Linux systems.

Found this article interesting!! Follow us on LinkedinTwitterFacebook for daily Cyber Security News & Updates

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.