CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cobalt Strike Beacon Reimplementation ‘Vermilion Strike’ Targets Windows, Linux

Security researchers with Intezer have identified a reimplementation of the infamous Cobalt Strike Beacon payload, which features completely new code.

Security researchers with Intezer have identified a reimplementation of the infamous Cobalt Strike Beacon payload, which features completely new code.

Dubbed Vermilion Strike, the malware can be used to target Linux and Windows devices and provides attackers with remote access capabilities such as file manipulation and shell command execution.

Since August 2021, adversaries have been using the new beacon to target government agencies, financial institutions, IT companies, telecommunication providers, and advisory companies worldwide. Limited targeting, however, suggests the malware is being used in specific attacks only.

“The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor,” Intezer says.

A Linux-targeting sample uploaded from Malaysia has strings similar with previously observed Cobalt Strike variants and also triggers YARA rules designed to detect encoded Cobalt Strike configurations. Using OpenSSL via dynamic linking, the file is built on Red Hat and can only be used on machines running Linux distributions based on Red Hat’s code base.

Command and control (C&C) is mainly performed over DNS, but can be done over HTTP as well. The approach is meant to evade defenses based on the monitoring of HTTP traffic.

Vermilion Strike can perform tasks such as: get disk partitions, get the working directory and change it, append or write to files, upload files to the C&C server, execute commands, and list files. The Windows implementation of the beacon carries almost the same functionality and has the same C&C domains.

“Cobalt Strike is a Windows-only malware so making a custom Linux file communicate with a Cobalt Strike server is impressive,” Intezer says. “We don’t believe this has ever happened before in APT attacks.”

Advertisement. Scroll to continue reading.

The beacon currently has a very low detection rate and this is especially true for the Linux variant. However, Vermilion Strike is not the only Linux port of Cobalt Strike and most likely not the last either.

“Vermilion Strike and other Linux threats remain a constant threat. The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets in order to navigate the existing environment. Linux threats often have low detection rates compared to their Windows counterparts,” Intezer notes.

Related: Cobalt Strike Bug Exposes Attacker Servers

Related: How Low-level Hackers Access High-end Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.