Cobalt Strike is a legitimate commercially sold Windows-only penetration testing tool for infosec pros that has long been leveraged by threat actors to support their cyber attacks. Now a new Linux version being used by threat actors has been discovered by security researchers, meaning infosec teams with Linux infrastructure have to worry about detecting signs of this tool before malware gets installed.
Intezer, a New York-based threat detection firm, and security vendor McAfee said this week they have found a re-implementation of Cobalt Strike beacon, created by a hacker, which works on Linux and Windows systems.
Dubbed Vermillion Strike, it uses Cobalt Strike’s command and control (C2) protocol when communicating to a C2 server. And, like Cobalt Strike, it has remote access capabilities such as the ability to upload files, run shell commands and write to files.
Based on telemetry the two companies have seen, Vermillion Strike has been active in the wild since August targeting telecom companies, government agencies, IT companies, financial institutions and advisory companies around the world, the report says. “Targeting has been limited in scope, suggesting that this malware is used in specific attacks rather than mass spreading,” the report adds.
The ELF file Vermillion Strike uses is built on a Red Hat Linux distribution. That means — so far — it can only run on machines with Linux distributions based on Red Hat’s code base.
The good news is that the file shares strings with previously seen Cobalt Strike samples and triggers a number of YARA rules that detect encoded Cobalt Strike configurations.
“The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor,” Intezer said in its posting.
Like Cobalt Strike, Vermillion Strike begins by fingerprinting an infected machine, gathering information on its operating system, network configuration, and other useful data for attackers. The collected information is formatted into a string, encrypted with a public RSA key, and base64 encoded before being sent to a command and control server for action.
Command and control is primarily performed over DNS but also available over HTTP. This DNS-based approach for communications can help avoid traditional defenses that monitor HTTP traffic, the report notes.
Vermilion Strike is not the only Linux port of Cobalt Strike’s Beacon, the report adds. Another example is the open-source project geacon, a Go-based implementation. “Vermilion Strike may not be the last Linux implementation of Beacon,” Intezer warns.