Security researchers with Intezer have identified a reimplementation of the infamous Cobalt Strike Beacon payload, which features completely new code.
Dubbed Vermilion Strike, the malware can be used to target Linux and Windows devices and provides attackers with remote access capabilities such as file manipulation and shell command execution.
Since August 2021, adversaries have been using the new beacon to target government agencies, financial institutions, IT companies, telecommunication providers, and advisory companies worldwide. Limited targeting, however, suggests the malware is being used in specific attacks only.
“The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor,” Intezer says.
A Linux-targeting sample uploaded from Malaysia has strings similar with previously observed Cobalt Strike variants and also triggers YARA rules designed to detect encoded Cobalt Strike configurations. Using OpenSSL via dynamic linking, the file is built on Red Hat and can only be used on machines running Linux distributions based on Red Hat’s code base.
Command and control (C&C) is mainly performed over DNS, but can be done over HTTP as well. The approach is meant to evade defenses based on the monitoring of HTTP traffic.
Vermilion Strike can perform tasks such as: get disk partitions, get the working directory and change it, append or write to files, upload files to the C&C server, execute commands, and list files. The Windows implementation of the beacon carries almost the same functionality and has the same C&C domains.
“Cobalt Strike is a Windows-only malware so making a custom Linux file communicate with a Cobalt Strike server is impressive,” Intezer says. “We don’t believe this has ever happened before in APT attacks.”
The beacon currently has a very low detection rate and this is especially true for the Linux variant. However, Vermilion Strike is not the only Linux port of Cobalt Strike and most likely not the last either.
“Vermilion Strike and other Linux threats remain a constant threat. The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets in order to navigate the existing environment. Linux threats often have low detection rates compared to their Windows counterparts,” Intezer notes.