Hackers port Cobalt Strike attack tool to Linux

Security experts say the Cobalt Strike Beacon tool has been adapted by hackers to work against Linux machines.

Designed for use by penetration testers and other security professionals, Beacon is the automated attack component of the $3,500 per-year Cobalt Strike security testing suite that enables attacks like keylogging and file theft. Because it is so effective at automatically compromising machines, the software has also become effective with cybercriminals looking to remotely break into a network.

Officially, Cobalt Strike Beacon has been only supported for use against Windows systems. According to security vendor Intezer, however, someone has managed to not only reverse-engineer the tool, but also port it to work against Linux machines.

Intezer researchers Avigayil Mechtinger, Ryan Robinson and Joakim Kennedy said that their team has spotted an in-the-wild attack on Linux machines that appears to show many of the same telltale signs of the official Beacon attack tool.

Dubbed "Vermillion Strike" by the researchers, the malware appears to have been "written from scratch" and was launched from systems based in Malaysia. It allows the attackers to remotely manage and extract data from targeted machines once the attackers gain a foothold.

"Based on telemetry with collaboration from our partners at McAfee Enterprise ATR, this Linux threat has been active in the wild since August targeting telecom companies, government agencies, IT companies, financial institutions and advisory companies around the world," Intezer researchers explained. 

"Targeting has been limited in scope, suggesting that this malware is used in specific attacks rather than mass spreading."

What's worse, it seems the home-brew version of Beacon is as of now incredibly difficult for automated scanning tools to detect.

"The stealthy sample uses Cobalt Strike's Command and Control (C2) protocol when communicating to the C2 server and has Remote Access capabilities such as uploading files, running shell commands and writing to files," the Intezer team wrote. "The malware is fully undetected in VirusTotal at the time of this writing and was uploaded from Malaysia."

HelpSystems, which produces the legitimate Windows version of Cobalt Strike, did not respond to a request for comment on the matter.

Intezer has posted some indicators of compromise and best practices that can help Linux admins spot and remove the attack. 

According to the Intezer researchers, this is most likely not a one-off occurrence, and administrators should expect to see other unauthorized versions of Cobalt Strike popping up in the wild very soon.

"Vermilion Strike is not the only Linux port of Cobalt Strike's Beacon. Another example is the open-source project geacon, a Go-based implementation," the Intezer trio noted. "Vermilion Strike may not be the last Linux implementation of Beacon."