HomesecurityHackers have created a Linux Cobalt Strike beacon used in attacks

Hackers have created a Linux Cobalt Strike beacon used in attacks

An unofficial version of Cobalt Strike Beacon Linux created by unknown threats has been spotted by security researchers and is being actively used in attacks targeting organizations around the world.

Linux Cobalt Strike beacon

See also: Hackers aim to connect their victims to the internet

Cobalt Strike is a legitimate penetration testing tool designed as an attack framework for red teams.

Cobalt Strike is also used by threatening agents for post-exploitation work after the development of so-called beacons, which provide persistent remote access to compromised devices. Using beacons, attackers can later access compromised servers for data collection or further malware payload development.

Over time, "broken" copies of Cobalt Strike have been downloaded and shared by intimidators, making them one of the most common tools used in cyber attacks leading to data theft and ransomware. However, Cobalt Strike has always had one drawback - it only supports Windows devices and does not include Linux beacons.

In a new report from security company Intezer, researchers explain how the threatening actors undertook to create their Linux beacons compatible with Cobalt Strike. Using these beacons, the threatening actors can now gain persistence and remote command execution on both Windows and Linux machines.

See also: The hacker who caused the stroke, says that he stole 600 million crypto "for fun"!

Completely undetected in VirusTotal

Intezer researchers, who first spotted the beacon re-implementation in August and named it Vermilion Strike, said the Cobalt Strike ELF binary [VirusTotal] they discovered is not fully detected by anti-malware solutions.

Vermilion Strike comes in the same configuration format as the official Windows beacon and can "talk" to all Cobalt Strike servers, but does not use any of the Cobalt Strike codes.

This new Linux malware also has technical overlaps with Windows DLLs hinted at by the same developer.

See also: The biggest theft of cryptocurrencies by hackers! 600 million were lost.

It has been used in a series of attacks since August

Intezer has found many organizations targeting Vermilion Strike since August 2021 - from industries, from telecommunications and government services to IT companies, financial institutions and consulting firms around the world.

Source of information:

Teo Ehc
Be the limited edition.