IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers develop Linux port of Cobalt Strike for new attacks

The modified version of the penetration testing toolkit can evade malware detection

Cyber criminals have developed a Linux port of the Cobalt Strike penetration testing tool that has been dubbed Vermilion Strike, security researchers have discovered.

The tool has been developed from scratch to avoid detection from malware scanners.

According to a report published by cloud security firm Intezer Labs, researchers last month discovered a fully undetected ELF implementation of Cobalt Strike’s beacon. The malware used Cobalt Strike’s Command and Control (C2) protocol when communicating to its C2 server and has remote access capabilities such as uploading files, running shell commands, and writing to files. 

Cobalt Strike is a legitimate penetration testing tool used by security teams to discover vulnerabilities within their organization.

Researchers warned that the malware is completely undetected in VirusTotal and was uploaded from Malaysia. Intezer researchers Avigayil Mechtinger, Ryan Robinson and Joakim Kennedy said that this Linux threat has been active in the wild since August, predominantly targeting telecom companies, government agencies, IT companies, financial institutions, and advisory companies around the world.

They added that the targeting was limited in scope, suggesting that this malware is used in specific attacks rather than mass spreading.

Related Resource

X-Force Threat Intelligence Index

Top security threats and recommendations for resilience

Transparent cube against a black background - whitepaper from IBMFree download

Further analysis found Windows samples, using the same C2 server, which were also re-implementations of Cobalt Strike Beacon. Both Windows and Linux samples share the same functionalities. Once deployed, the malware can carry out tasks on a compromised Linux system such as changing working directory, getting the current working directory, appending/writing to file, uploading files to a C2 server, and more.

“The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor,” the researchers said, adding that Vermilion Strike and other Linux threats remain a constant threat. 

“The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets in order to navigate the existing environment. Linux threats often have low detection rates compared to their Windows counterpart,” said researchers.

The rsearchers added that Vermilion Strike is not the only Linux port of Cobalt Strike’s Beacon and gave another example as the open source project geacon, a Go-based implementation. 

“Vermilion Strike may not be the last Linux implementation of Beacon,” they warned.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download


Best free malware removal tools 2022

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022
What is shoulder surfing?
social engineering

What is shoulder surfing?

10 Jun 2022
CIAM buyer’s guide

CIAM buyer’s guide

6 Jun 2022

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Why India wants to become a chipmaking powerhouse

Why India wants to become a chipmaking powerhouse

28 Jun 2022