An unofficial hacker-built Linux version of a Cobalt Strike beacon has been identified by cybersecurity researchers being actively deployed in attacks aimed at international organisations.

The threat operator is behind the development remains unknown, but experts have confirmed that the version of Cobalt Strike has been custom-built from the ground up.

Corruption of a useful cybersecurity tool

A legitimate tool designed for penetration testing, Cobalt Strike is used as a framework by cybersecurity experts acting as attackers. Known as “Red Teams”, these groups probe their company’s infrastructure and defences seeking out potential vulnerabilities, back doors, and other gaps in security.

However, Cobalt Strike has also been witnessed being used by cybercriminals such as ransomware operators who have corrupted its original purpose, before employing it to execute post-exploitation actions.

After Cobalt Strike beacons have been deployed, threat actors are empowered with continuing remote access to company devices that have been compromised. Utilising beacons, ransomware gangs can later enjoy access to breached servers, allowing them to exfiltrate data or deploy more malware payloads onto systems.

Over the years, copies of Cobalt Strike that have been cracked by hackers have been acquired and shared among other threat actors, making it now among the more common weapons used in modern cyberattacks that lead to stolen data and ransomware infections.

The limitations of Cobalt Strike as a hacker tool

While Cobalt Strike has proved a useful tool for a wide range of cybercriminals, it has long had one weakness – previously, it had only ever supported devices using Windows operating systems and had not included Linux beacons.

However, a new report issued by security researchers at Intezer has explained how threat operators have managed to create Linux beacons that are fully compatible with the penetration tester. Utilising these beacons, malicious operators can now obtain persistent access and remote command execution on not just Windows machines but those running Linux as well.

Intezer’s research team first identified the beacon activity last month, entitling it Vermilion Strike. They explained that the Cobalt Strike ELF binary (also known as VirusTotal) discovered was entirely undetectable by today’s anti-malware solutions.

While Vermilion Strike uses no part of Cobalt Strike’s code, it comes with an identical configuration format to the authentic Windows beacon and is able to communicate with any Cobalt Strike server.

Intezer commented:

“The stealthy sample uses Cobalt Strike’s Command and Control (C2) protocol when communicating to the C2 server and has Remote Access capabilities such as uploading files, running shell commands, and writing to files. The malware is fully undetected in VirusTotal at the time of this writing and was uploaded from Malaysia.”

This new variant featuring Linux malware also includes technical overlaps with Windows DLL files, offering the same abilities as command-and-control servers, suggesting that the same hacker may be responsible.

Vermilion Strike is able to perform numerous tasks after being deployed on a Linux system that has been compromised. These include changing the working directory, uploading a file to a C2server, and the ability to append and write to file among others.