Linux Version of Cobalt Strike Malware Targets Organization Worldwide

The cybersecurity researchers have recently detected a Linux and Windows re-implementation of Cobalt Strike Beacon that has an eye to target the government, telecommunications, information technology, and financial institutions.

Cobalt Strike is a true penetration testing tool that is specifically created as an attack framework for red teams. However, in August 2021, the researchers at Intezer has found a fully undetected ELF implementation of Cobalt Strike’s beacon, which has been named Vermilion Strike. 

As per the reports, the Vermilion generally uses Cobalt Strike’s Command and Control (C2) protocol while talking to the C2 server and it also has Remote Access abilities like uploading files, running shell commands, and drafting to files. 

Linux File & Initialization

Cobalt Strike‘s file was uploaded to VirusTotal from Malaysia and after a proper investigation, the security analysts came to know that there were no detections in VirusTotal noted at that time. 

Not only this but this particular file shares strings with earlier seen Cobalt Strike samples and at the same time it triggers a number of YARA rules which generally detect encoded Cobalt Strike configurations.

Apart from all these, there is some sample that starts by binding itself to run in the background just sing daemon. However, the key 0x69 is quite a common value that is generally used in Cobalt Strike’s encrypted configuration.

But the experts pronounced that the Vermilion Strike’s configuration format is the same as Cobalt Strike, and the tools that were used for excerpting Cobalt Strike configurations can also be utilized to elicit Vermilion Strike configuration.

Fully Undetected in VirusTotal

The Vermilion Strike of the Cobalt Strike ELF binary that has been detected is currently fully undetected by anti-malware solutions.

Not only this but this new Linux malware also has the features of technical overlaps along with Windows DLL files that are continuously hinting at the same developer.

Tasks That the Beacon can Perform

Here’s the list of tasks that the beacon can perform or execute mentioned below:-

  • Change working directory
  • Get current working directory
  • Append/write to file
  • Upload file to C2
  • Execute command via popen
  • Get disk partitions
  • List files

This kind of threat remains a constant threat, and the researchers claimed that the predominance of Linux servers in the cloud and its continued increase invites APTs to adjust their toolsets so that they can navigate the existing environment.

Moreover, they also affirmed that this is the first Linux implementation that has been applied for real attacks. But, unfortunately, there is no specific information on the original attack vector that the threat actors use to target Linux systems.

Found this article interesting!! Follow us on LinkedinTwitterFacebook for daily Cyber Security News & Updates

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

CrowdStrike Releases Fix for Updates Causing Windows to Enter BSOD Loop

CrowdStrike has issued a fix for a problematic update that caused numerous Windows systems to…

8 hours ago

Beware of Free VPNs that Install Malicious Botnets

Virtual Private Networks (VPNs) have become essential tools for internet users. However, the allure of…

11 hours ago

HPE Critical 3PAR Processor Flaw Let Remote Attackers Bypass Authentication

Hewlett Packard Enterprise (HPE) has addressed a critical vulnerability in its 3PAR Service Processor software…

14 hours ago

Chrome Security Update: Patch for Multiple Flaws that Leads to Remote Code Execution

Google has announced the release of Chrome 126, a critical security update that addresses 10…

15 hours ago

CrowdStrike Update Pushing Windows Machines Into a BSOD Loop

A recent update to the CrowdStrike Falcon sensor is causing major issues for Windows users…

17 hours ago

Oracle WebLogic Server Vulnerability Allows Complete Server Take Over

A critical vulnerability identified as CVE-2024-21181 has been discovered in the Oracle WebLogic Server, posing…

17 hours ago