Researchers discovered a new Windows and Linux re-implementation of Cobalt Strike Beacon, which has global telecommunications, governments, financial sectors, information technology, and more in its crosshairs.
Cobalt Striker is a Windows-based red team penetration tool that threat actors use by repurposing to make targeted attacks. Cobalt Strike uses Beacon as the payload engineered to act as an advanced threat actor and clone their post-exploitation actions.
Dubbed “Vermillion Strike,” an as-yet undetected version of the pentesting testing tool uses one of the more rare Linux Ports.
According to researchers from the Israeli cybersecurity company, Intezer, this yet-undetected version uses Cobalt Strike’s command and control protocol, C2. It then communicates with the C2 server to gain various capabilities. These include running shell commands, uploading files, and writing to them.
These findings from Intezer were published in a report yesterday. The original information was gathered from an artifact uploaded to TotalVirus on 10th August from Malaysia. So far, only two anti-malware engines flag this file as malicious.
Upon installation, the malware runs in the background to decrypt the necessary configuration that helps Beacon to function. It then fingerprints the Linux machine and establishes communications with a remote server over HTTP or DNS. Doing so helps recover AES-encrypted and base64-encoded instructions that permit it to run arbitrary commands, write files, and re-upload them to the server.
Additional samples from the investigation showed the Windows variant of this malware that shared overlaps in the functionality and the C2 domains that help to take over the hosts remotely.
“Vermilion Strike and other Linux threats remain a constant threat. The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets in order to navigate the existing environment,” the researchers said.