Cybercriminals recreate Cobalt Strike in Linux

The new malware strain has gone unnoticed by detection tools.

A re-implementation of Cobalt Strike has been "written from scratch" to attack Linux systems.

Dubbed Vermilion Strike, Intezer said on Tuesday that the new variation leans on Cobalt Strike functionality, including its command-and-control (C2) protocol, its remote access functionality, and its ability to run shell instructions. 

Cobalt Strike is a legitimate penetration testing tool for Windows systems. Released in 2012, the tool has been constantly abused by threat actors including advanced persistent threat (APT) groups such as Cozy Bear and campaigns designed to spread Trickbot and the Qbot/Qakbot banking Trojan. 

Cobalt Strike's source code for version 4.0 was allegedly leaked online, however, most threat actors tracked by cybersecurity teams appear to rely on pirate and cracked copies of the software.

Until now, at least.

In August, Intezer uncovered the new ELF implementation of Cobalt Strike's beacon, which appears to have originated from Malaysia. 

When the researchers reported Vermilion Strike, it went undetected on VirusTotal as malicious software. (However, as of the time of writing, 24 antivirus vendors have now registered the threat.)

Built on a Red Hat Linux distribution, the malware is capable of launching beacons, listing files, changing and pulling working directories, appending and writing to files, uploading data to its C2, executing commands via the popen function, and analyzing disk partitions. 

While capable of attacking Linux builds, Windows samples have also been found that use the same C2 server and contain the same functionality.

The researchers worked with McAfee Enterprise ATR to examine the software and have come to the conclusion that Vermilion Strike is being used in targeted attacks against telecoms, government, IT, advisory, and financial organizations worldwide.

"The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn't been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor," Intezer says. 

This is not the only unofficial port of Cobalt Strike, however. There is also geacon, an open source project based on the Golang programming language.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0