Vermilion Strike: Linux and Windows Re-implementation of Cobalt

Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike Key Findings -Discovered Linux & Windows re-implementation of Cobalt Strike Beacon written from scratch -Linux malware is fully undetected by vendors -Has IoC and technical overlaps with previously discovered Windows DLL files -Highly targeted with victims including telecommunications, government and finance Cobalt Strike is a popular red team tool for Windows which is also heavily used by threat actors. At the time of this writing, there is no official Cobalt Strike version for Linux. In August 2021, we at Intezer discovered a fully undetected ELF implementation of Cobalt Strike’s beacon, which we named Vermilion Strike. The stealthy sample uses Cobalt Strike’s Command and Control (C2) protocol when communicating to the C2 server and has Remote Access capabilities such as uploading files, running shell commands and writing to files. The malware is fully undetected in VirusTotal at the time of this writing and was uploaded from Malaysia. Based on telemetry with collaboration from our partners at McAfee Enterprise ATR, this Linux threat has been active in the wild since August targeting telecom companies, government agencies, IT companies, financial institutions and advisory companies around the world. Targeting has been limited in scope, suggesting that this malware is used in specific attacks rather than mass spreading. After further analysis, we found Windows samples that use the same C2. The samples are re-implementations of Cobalt Strike Beacon. The Windows and ELF samples share the same functionalities. The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor. In this post we will provide a technical analysis of the samples and explain how you can detect and respond to this threat. Samples: #vermilionstrike #cobaltstrike #windows #linux

#小菲投稿 #农景成Please help me to post this guy on behalf of my poor f

#小菲投稿 #农景成 Please help me to post this guy on behalf of my poor friend. This guy is over stay in Philippines and still working in POGO INDUSTRY at PITX,he wants to be a father to his child but she always out of reach incase of emergency,my friend brought her child to Dubai so she can find a better work for her daughter ,because ever since this child was born only my friend and her family raising the child,this man can give money whenever he wants only. A mother sacrifices for her child for the better future but this guy completely ignored my friend,my friend brother and parents now is ready to report this in pasay area,my friend now is in hospital due to car accident and her baby is with her auntie . If anyone knows this guy please tell him to get in touch as soon as possible ! I wont post all of the evidences on how you keep invalidating the feelings of your child mother but we hope you will just go to jail and get deported! 请帮我替我可怜的朋友发帖。这家伙在菲律宾逗留了很久，仍在 PITX 的 POGO 行业工作，他想成为孩子的父亲，但紧急情况下她总是联系不上，我的朋友把孩子带到了迪拜，这样她就能为女儿找到更好的工作，因为自从这个孩子出生以来，只有我的朋友和她的家人抚养孩子，这个男人想给钱就给。一位母亲为了孩子更好的未来而牺牲，但这个家伙完全无视我的朋友，我朋友的兄弟和父母现在准备在帕赛地区报告此事，我的朋友现在因车祸住院，她的孩子和她阿姨在一起。如果有人认识这个人，请让他尽快联系我！我不会发布所有证据来证明你如何不断否定孩子母亲的感受，但我们希望你进监狱并被驱逐出境！