Hackers Alter Cobalt Strike Beacon to Target Linux Environments

A significant part of hacking consists of diverting the function of existing systems and software, and hackers often use legitimate security tools to perform cyber attacks.

Pentesting tool Cobalt Strike has been one such target, but what happened recently with a Red Hat Linux version of the Cobalt Strike Beacon is worthy of note. According to cybersecurity researchers, it could be the work of an advanced threat actor.

How is Cobalt Strike Beacon Used in Cyberattacks?

Cobalt Strike is an exploitation platform. The idea is to emulate attacks from advanced adversaries and potential post-exploitation actions.

You can see it as a framework used by security teams for test purposes and threat groups. The software creates connections (using Cobalt Strike servers) to attack networks. In addition, it contains tons of components that are pretty convenient and customizable.

The beacon is the client. That’s why attackers have to install it on the targeted machine, which usually happens after exploiting a vulnerability. If the attack succeeds, hackers can maintain a persistent connection between the beacon and Cobalt Strike rogue servers, sending data periodically.

A New Variant of Cobalt Strike

Cobalt Strike Beacon Linux enables emulation of advanced attacks to a network over HTTP, HTTPS, or DNS.

It provides a console where you can open a beacon session and enter specific commands. The console returns command output and other information. Users get access to a status bar and various menus that extract information and interact with the target’s system.

Beacon’s shell commands are handy for performing various injections, remote command executions, and unauthorized uploads and downloads.

The skilled hackers who implemented this Linux variant achieved tremendous success. Their version has a scary ability to remain undetected. It can get disk partitions, list, write and upload files, and execute commands as well.

The malware has been renamed Vermilion. The name vermillion came from the Old French word vermeillon, which was derived from vermeil, from the Latin vermiculus, the diminutive of the Latin word vermis, or worm.

How Does a Beacon Attack Work?

The Cobalt Strike’s Command and Control (C2) protocol was apparently the heart of the attack. It’s a DNS-based communication that helps circumvent classic defense mechanisms that focus on HTTP traffic.

Instead of translating the DNS request into an IP address, which is the normal behavior with hostnames, the malware can base64 encode hidden tasks in an AES encrypted struct and send everything in a DNS TXT query to hardcoded subdomains. Once the beacon gets the signal, it decrypts the struct to perform the unauthorized tasks.

The malware can configure the beacon automatically. It executes tasks in separate threads asynchronously by scheduling jobs, which prevents any crashes.

Vermillion Strike Pushes the boundaries

Fox-IT researchers found a bug in Cobalt Strike in 2019 that defenders could exploit to identify attacker servers.

Many blue teams (defenders) have created specific alerts to fight against red teams (attackers that work for the same company), criminal organizations, and state-sponsored groups that use Cobalt Strike Servers, and some say it could be due to that bug.

You should note that a patch is available to license holders now, but, of course, not to hackers pirating the software. In addition, Cobalt Strike is supposed to be a Windows-only malware.

Unfortunately for defenders, Vermillion Strike seems to have removed all limitations.

Vermillion Strike can communicate with all Cobalt Strike servers because it uses the same configuration format as the official Windows beacon. It can now apply to an extensive range of servers and networks.

VirusTotal Failed to Detect the Malware

When Intezer researchers used VirusTotal to test the Cobalt Strike ELF binary with the scanner, it failed to detect the threat.

Based on telemetry, the researchers discovered the attack targeted various sectors such as telecom companies, government agencies, financial institutions, and advisory companies worldwide since last month.

What makes this attack impressive is not the port to Linux, even if it’s undeniably rare and noticeable, but more the use of the malware in actual attacks on multiple targets, including security-aware organizations.

A New Weapon for APTs

Advanced Persistent Threats (APT) are particularly sophisticated actors who can maintain undetected, unauthorized access for months and even years.

A Linux variant of a dangerous malware with a very low detection rate can be considered a persistent threat. This new malware likely benefits advanced threat actors.

Besides, the limited scope of the attack and the fact that Vermillion Strike has not been found in any other attacks, at least for now, also suggests advanced actors, like criminal organizations or state-sponsored hackers.

In any case, Intezer experts predict this won’t be the last Linux variant, as Linux servers are prevalent in cloud computing environments.

Further reading: Top Vulnerability Management Tools for 2021

Julien Maury
Julien Maury is a backend developer, a mentor and a technical writer. He loves sharing his knowledge and learning new concepts.

Top Products

Top Cybersecurity Companies

Related articles