Malicious Linux version of Cobalt Strike hacking tool found

Cobalt Strike is a legitimate commercially sold Windows-only penetration testing tool for infosec pros that has long been leveraged by threat actors to support their cyber attacks. Now a new Linux version being used by threat actors has been discovered by security researchers, meaning infosec teams with Linux infrastructure have to worry about detecting signs of this tool before malware gets installed.

Intezer, a New York-based threat detection firm, and security vendor McAfee said this week they have found a re-implementation of Cobalt Strike beacon, created by a hacker, which works on Linux and Windows systems.

Dubbed Vermillion Strike, it uses Cobalt Strike’s command and control (C2) protocol when communicating to a C2 server. And, like Cobalt Strike, it has remote access capabilities such as the ability to upload files, run shell commands and write to files.

Based on telemetry the two companies have seen, Vermillion Strike has been active in the wild since August targeting telecom companies, government agencies, IT companies, financial institutions and advisory companies around the world, the report says. “Targeting has been limited in scope, suggesting that this malware is used in specific attacks rather than mass spreading,” the report adds.

The ELF file Vermillion Strike uses is built on a Red Hat Linux distribution. That means — so far — it can only run on machines with Linux distributions based on Red Hat’s code base.

The good news is that the file shares strings with previously seen Cobalt Strike samples and triggers a number of YARA rules that detect encoded Cobalt Strike configurations.

“The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor,” Intezer said in its posting.

Like Cobalt Strike, Vermillion Strike begins by fingerprinting an infected machine, gathering information on its operating system, network configuration, and other useful data for attackers. The collected information is formatted into a string, encrypted with a public RSA key, and base64 encoded before being sent to a command and control server for action.

Command and control is primarily performed over DNS but also available over HTTP. This DNS-based approach for communications can help avoid traditional defenses that monitor HTTP traffic, the report notes.

Vermilion Strike is not the only Linux port of Cobalt Strike’s Beacon, the report adds. Another example is the open-source project geacon, a Go-based implementation. “Vermilion Strike may not be the last Linux implementation of Beacon,” Intezer warns.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now