Security News > 2021 > September > Hacker-made Linux Cobalt Strike beacon used in ongoing attacks
An unofficial Cobalt Strike Beacon Linux version made by unknown threat actors from scratch has been spotted by security researchers while actively used in attacks targeting organizations worldwide.
Cobalt Strike is also used by threat actors for post-exploitation tasks after deploying so-called beacons, which provide persistent remote access to compromised devices.
Cobalt Strike has always had a weakness - it only supports Windows devices and does not include Linux beacons.
In a new report by security firm Intezer, researchers explain how threat actors have taken it upon themselves to create their Linux beacons compatible with Cobalt Strike.
Intezer researchers, who first spotted the beacon re-implementation in August and dubbed it Vermilion Strike, said that the Cobalt Strike ELF binary [VirusTotal] they discovered is currently fully undetected by anti-malware solutions.
Vermilion Strike comes with the same configuration format as the official Windows beacon and can speak with all Cobalt Strike servers, but doesn't use any of Cobalt Strike's code.
News URL
Related news
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems (source)
- Chinese hackers target Linux with new WolfsBane malware (source)
- Hackers breach US firm over Wi-Fi from Russia in 'Nearest Neighbor Attack' (source)
- North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- 390,000 WordPress accounts stolen from hackers in supply chain attack (source)
- Hackers Use Microsoft MSC Files to Deploy Obfuscated Backdoor in Pakistan Attacks (source)
- Russian hackers use RDP proxies to steal data in MiTM attacks (source)