An unofficial version of Cobalt Strike Beacon Linux created by unknown threats has been spotted by security researchers and is being actively used in attacks targeting organizations around the world.
Cobalt Strike is a legitimate penetration testing tool designed as an attack framework for red teams.
Cobalt Strike is also used by threatening agents for post-exploitation work after the development of so-called beacons, which provide persistent remote access to compromised devices. Using beacons, attackers can later access compromised servers for data collection or further malware payload development.
Over time, "broken" copies of Cobalt Strike have been downloaded and shared by intimidators, making them one of the most common tools used in cyber attacks leading to data theft and ransomware. However, Cobalt Strike has always had one drawback - it only supports Windows devices and does not include Linux beacons.
In a new report from security company Intezer, researchers explain how the threatening actors undertook to create their Linux beacons compatible with Cobalt Strike. Using these beacons, the threatening actors can now gain persistence and remote command execution on both Windows and Linux machines.
Completely undetected in VirusTotal
Intezer researchers, who first spotted the beacon re-implementation in August and named it Vermilion Strike, said the Cobalt Strike ELF binary [VirusTotal] they discovered is not fully detected by anti-malware solutions.
Vermilion Strike comes in the same configuration format as the official Windows beacon and can "talk" to all Cobalt Strike servers, but does not use any of the Cobalt Strike codes.
This new Linux malware also has technical overlaps with Windows DLLs hinted at by the same developer.
It has been used in a series of attacks since August
Intezer has found many organizations targeting Vermilion Strike since August 2021 - from industries, from telecommunications and government services to IT companies, financial institutions and consulting firms around the world.
Source of information: bleepingcomputer.com