Attackers Made Linux Cobalt Strike Beacon Utilized in recent Attacks

An unauthorized Cobalt Strike Beacon Linux version made by unknown threat actors from scratch has been addressed by a security investigator while currently utilized in attacks targeting various companies across the world. Cobalt Strike is an appropriate penetration testing tool designed as an attack framework for red teams (Groups of various Security Professionals who behave like an attacker on their own org’s framework to discover security gaps and vulnerabilities).

Cobalt Strike is also utilized by threat actors generally dropped in ransomware attacks for post-exploitation tasks after deploying so-called beacons, which facilitate constant remote access to negotiated devices. Using beacons, threat actors can later access hijacked servers to harvest information or set up further malware payloads.

Over time, the damaged copies of Cobalt Strike have been generated and transmitted by threat attackers, becoming one of the most general tools utilized in Cyberattack leading to data hijack and ransomware. However, Cobalt Strike has always had a weakness – it only supports Windows devices and does not include Linux beacons.

In advance news of Cobalt Strike, investigators explained how attackers have taken it upon themselves to create their Linux beacons consistent with Cobalt Strike. Utilizing these beacons, threat actors can achieve persistence and remote command execution on both Windows and Linux machines.

Undiscovered in VirusTotal

Intezer investigators, who first addressed the beacon re-implementation in August and dubbed it Vermilion Strike, said that the Cobalt Strike ELF binary they discovered is actively fully unpatched by anti-malware solutions.

Vermilion Strike comes with a similar configuration format as the official Windows beacon and can speak with all the Cobalt Strike servers, but does not use any of the Cobalt Strike’s code. This new Linux malware also features technical overlaps the similar functionality and command-and-control servers with Windows DLL files advising at the same developer.  


“The crafty sample utilizes Cobalt Strike’s Command and Control (C2) protocol when transmitting to the C2 server and has Remote Access capabilities such as uploading files, executing shell command and writing to the files.” The malware is completely undetected in VirusTotal at the time of this writing and was uploaded from Malaysia.”

Vermilion Strike can execute the following tasks once set up on a negotiated Linux system:

  • Change working directory
  • Get current working directory
  • Append/write to file
  • Upload file to C2
  • Execute command through open
  • Get disk partitions
  • List files

Expanding in Current Attacks since August

Using telemetry data facilitated by McAfee Enterprise ATR, Intezer also discover multiple orgs targeted using Vermilion Strike since August 2021 from various industry sectors ranging from telecom companies and government agencies to IT companies, financial institutions, and advisory companies worldwide.

It’s also worth considering that Vermilion Strike is not the primary or only port of Cobalt Strike’s Beacon to Linux, with geacon, an open-source Go-based implementation, publicly available for the last two years.

However, as Intezer told our experts, “this is the first Linux implementation that has been used for real attacks.” Unluckily, there is no information on the first attack vector the attackers use to target Linux systems.

“The composure of this warning, its purpose to handle espionage, and the truth that the code hasn’t been seen before in other attacks, collectively with the fact that it targets specific entities in the wild, leads us to conclude that this threat was developed by a skilled threat actor,” Intezer concluded.

Leave a Reply