Security researchers have identified a reimplementation of the infamous Cobalt Strike Beacon payload, which features completely new code. Dubbed Vermilion Strike, the malware can be used to target Linux and Windows devices and provides attackers with remote access capabilities such as file manipulation and shell command execution.
The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, a nature of a skilled threat vector.
A Linux-targeting sample has strings similar with previously observed Cobalt Strike variants and also triggers YARA rules designed to detect encoded Cobalt Strike configurations. Using OpenSSL via dynamic linking, the file is built on Red Hat and can only be used on machines running Linux distributions based on Red Hat’s code base.
C&C is mainly performed over DNS, but can be done over HTTP as well. The approach is meant to evade defenses based on the monitoring of HTTP traffic. Vermilion Strike can perform tasks like get disk partitions, get the working directory and change it, append or write to files, upload files to the C&C server, execute commands, and list files. The Windows implementation of the beacon carries almost the same functionality and has the same C&C domains.
The beacon currently has a very low detection rate and this is especially true for the Linux variant. Vermilion Strike and other Linux threats remain a constant threat. The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets in order to navigate the existing environment. Linux threats often have low detection rates compared to their Windows counterparts