Hacker-made Linux Cobalt Strike beacon used in ongoing attacks

silversurfer

Level 75
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,438
An unofficial Cobalt Strike Beacon Linux version made by unknown threat actors from scratch has been spotted by security researchers while actively used in attacks targeting organizations worldwide.

Cobalt Strike is a legitimate penetration testing tool designed as an attack framework for red teams (groups of security professionals who act as attackers on their own org's infrastructure to discover security gaps and vulnerabilities.)

Cobalt Strike is also used by threat actors (commonly dropped in ransomware attacks) for post-exploitation tasks after deploying so-called beacons, which provide persistent remote access to compromised devices. Using beacons, attackers can later access breached servers to harvest data or deploy further malware payloads. Over time, cracked copies of Cobalt Strike have been obtained and shared by threat actors, becoming one of the most common tools used in cyberattacks leading to data theft and ransomware. However, Cobalt Strike has always had a weakness — it only supports Windows devices and does not include Linux beacons.

In a new report by security firm Intezer, researchers explain how threat actors have taken it upon themselves to create their Linux beacons compatible with Cobalt Strike. Using these beacons, threat actors can now gain persistence and remote command execution on both Windows and Linux machines.

Intezer researchers, who first spotted the beacon re-implementation in August and dubbed it Vermilion Strike, said that the Cobalt Strike ELF binary [VirusTotal] they discovered is currently fully undetected by anti-malware solutions.
 
Top