Security experts have detected an unauthorized version of the Cobalt Strike Beacon Linux created by malicious attackers that are actively utilized to attack organizations worldwide.
Cobalt Strike is a legal penetration testing tool built for the red-team attacking infrastructure (security organizations that function as attackers to detect the security and flaws in the infrastructure of their org).
Cobalt Strike is often utilized for post-exploitation duties by malicious attackers (often dropped in ransomware campaigns) following the planting of so-called beacons that give permanent remote access to affected machines. Employing beacons, attackers may access compromised servers for the collection of data or distribute additional payloads of malware afterward.
Over time, the cybercriminals acquired split copies of the Cobalt Strike and circulated this as one of the most prevalent instruments of cybersecurity threats culminating in theft and extortion of information. Cobalt Strike, however, has always had a problem - it enables only Windows devices and therefore does not contain Linux beacons.
Further, as per a new analysis by the security company Intezer, scientists describe exactly how the threat actors have chosen to construct their cobalt strike-compatible Linux beacons. Malicious actors may now maintain and execute remote control over both Windows and Linux devices by utilizing these beacons.
The undiscovered variant — dubbed "Vermilion Strike" — of the penetration testing program is one of the uncommon Linux ports, typically a Windows-based red team instrument which is heavily used by opponents to launch a range of specific attacks. As a threat simulation software, Cobalt Strike claims to be Beacon's payload designed to simulate a sophisticated actor and to double their post-exploitation behaviors.
"The stealthy sample uses Cobalt Strike's command-and-control (C2) protocol when communicating to the C2 server and has remote access capabilities such as uploading files, running shell commands, and writing to files," Intezer researchers said in a report.
Once installed, the malware starts the operation in the background, decoding the required configuration for the beacon to operate effectively just before the fingerprint identification of the Linux-compromised device and communicating to a remote server via DNS or HTTP to recover base64 encoded and AES-encrypted commands, to write files and upload them back to the webserver.
"Vermilion Strike and other Linux threats remain a constant threat. The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets to navigate the existing environment," the researchers said.