Vermilion Strike: Linux and Windows Re-implementation of Cobalt

Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike Key Findings -Discovered Linux & Windows re-implementation of Cobalt Strike Beacon written from scratch -Linux malware is fully undetected by vendors -Has IoC and technical overlaps with previously discovered Windows DLL files -Highly targeted with victims including telecommunications, government and finance Cobalt Strike is a popular red team tool for Windows which is also heavily used by threat actors. At the time of this writing, there is no official Cobalt Strike version for Linux. In August 2021, we at Intezer discovered a fully undetected ELF implementation of Cobalt Strike’s beacon, which we named Vermilion Strike. The stealthy sample uses Cobalt Strike’s Command and Control (C2) protocol when communicating to the C2 server and has Remote Access capabilities such as uploading files, running shell commands and writing to files. The malware is fully undetected in VirusTotal at the time of this writing and was uploaded from Malaysia. Based on telemetry with collaboration from our partners at McAfee Enterprise ATR, this Linux threat has been active in the wild since August targeting telecom companies, government agencies, IT companies, financial institutions and advisory companies around the world. Targeting has been limited in scope, suggesting that this malware is used in specific attacks rather than mass spreading. After further analysis, we found Windows samples that use the same C2. The samples are re-implementations of Cobalt Strike Beacon. The Windows and ELF samples share the same functionalities. The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor. In this post we will provide a technical analysis of the samples and explain how you can detect and respond to this threat. Samples: #vermilionstrike #cobaltstrike #windows #linux