Researchers from Intezer, on Monday, discovered Cobalt Strike Beacon Linux and Windows implementation targets government, telecommunications, information technology, and financial institutions worldwide.
The researchers have not been able to detect the version of the penetration testing tool and have codenamed it as “Vermillion Strike”. It is one of the rare Linux ports, a Windows-based red team tool traditionally, heavily repurposed by adversaries to mount an array of targeted attacks. Cobalt Strike bills itself as a “threat emulation software.” The Beacon is engineered as a payload to model as an advanced actor and duplicate their post-exploitation actions.
According to the researchers, “The stealthy sample uses Cobalt Strike’s command-and-control (C2) protocol when communicating to the C2 server and has remote access capabilities such as uploading files, running shell commands, and writing to files.”
The discovery was made by the cybersecurity company from Israel after an artifact was uploaded to VirusTotal on August 10 from Malaysia. Currently, only two anti-malware engines flag the file as malicious.The malware runs on its own in the background once installed and decrypts the configuration required for the beacon to function. All this is done prior to fingerprinting the compromised Linux machine and establishing communications with a remote server over DNS or HTTP to retrieve base64-encoded and AES-encrypted instructions. This allows it to run arbitrary commands, write to files, and upload files back to the server.
The additional samples available during the course of the investigation suggested the Windows variant of the malware. The sharing overlaps in the functionality and the C2 domains used to remotely commandeer the hosts.
According to Intezer, the espionage campaign’s limited scope suggests the malware was used in specific attacks as opposed to large-scale intrusions. They also attribute it to a “skilled threat actor” owing to the fact that Vermilion Strike has not been observed in other attacks to date.
The researchers said, “Vermilion Strike and other Linux threats remain a constant threat. The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets in order to navigate the existing environment.”