Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

Vermilion Strike, a Linux implementation of Cobalt Strike Beacon used in attacks

Researchers discovered Linux and Windows implementations of the Cobalt Strike Beacon developed by attackers that were actively used in attacks in the wild. Threat actors re-implemented from scratch unofficial Linux and Windows versions of the Cobalt Strike Beacon and are actively using them in attacks aimed at organizations worldwide.Cobalt Strike is a legitimate penetration testing tool designed as an attack […]

Vermillon Strike

Researchers discovered Linux and Windows implementations of the Cobalt Strike Beacon developed by attackers that were actively used in attacks in the wild.

Threat actors re-implemented from scratch unofficial Linux and Windows versions of the Cobalt Strike Beacon and are actively using them in attacks aimed at organizations worldwide.Cobalt Strike is a legitimate penetration testing tool designed as an attack framework for red teams (groups of security professionals who act as attackers on their own org’s infrastructure to discover security gaps and vulnerabilities.)

The Linux versions of the commercial post-exploitation tool was codenamed Vermilion Strike and according to Intezer researchers, that spotted it, is it fully undetected by vendors.

“In August 2021, we at Intezer discovered a fully undetected ELF implementation of Cobalt Strike’s beacon, which we named Vermilion Strike. The stealthy sample uses Cobalt Strike’s Command and Control (C2) protocol when communicating to the C2 server and has Remote Access capabilities such as uploading files, running shell commands and writing to files.” reads the analysis published by Intezer,

Intezer researchers reported that the Linux variant has been active in the wild since August, threat actors used it in attacks against telecom companies, government agencies, IT companies, financial institutions and advisory companies. 

Vermillon Strike

The sample analyzed by the researchers was uploaded to VirusTotal from Malaysia and has a zero-rate detection in the platform at the time of this writing.

Researchers believe that Vermillon Strike was used in highly targeted attacks.

The technical analysis revealed that the ELF file uploaded on VisurTotal shares strings with Cobalt Strike samples and could be detected as malicious by using YARA rules for Cobalt Strike. The file is built on a Red Hat Linux distribution.

“It uses OpenSSL via dynamic linking. The shared object names for OpenSSL on Red Hat-based distributions are different from other Linux distributions. Because of this, it can only run on machines with Linux distribution based on Red Hat’s code base.” continues the analysis.

Upon installing the sample, the malware will run in the background using daemon and decrypt the configuration necessary for the beacon to function. The malware connects C2 primarily over DNS, to avoid detection, but it is also able to use HTTP.

Vermilion Strike and other Linux threats remain a constant threat. The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets in order to navigate the existing environment. Linux threats often have low detection rates compared to their Windows counterparts due to reasons discussed in Why we Should be Paying More Attention to Linux Threats.” concludes the analysis. “Vermilion Strike is not the only Linux port of Cobalt Strike’s Beacon. Another example is the open-source project geacon, a Go-based implementation. Vermilion Strike may not be the last Linux implementation of Beacon.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cobalt Strike)

[adrotate banner=”5″]

[adrotate banner=”13″]