A re-implementation of Cobalt Strike has been “written from scratch” to attack Linux systems.
Dubbed Vermilion Strike, Intezer said on Tuesday that the new variation leans on Cobalt Strike functionality, including its command-and-control (C2) protocol, its remote access functionality, and its ability to run shell instructions.
Cobalt Strike is a legitimate penetration testing tool for Windows systems. Released in 2012, the tool has been constantly abused by threat actors including advanced persistent threat (APT) groups such as Cozy Bear and campaigns designed to spread Trickbot and the Qbot/Qakbot banking Trojan.
Cobalt Strike’s source code for version 4.0 was allegedly leaked online, however, most threat actors tracked by cybersecurity teams appear to rely on pirate and cracked copies of the software.
Until now, at least.
In August, Intezer uncovered the new ELF implementation of Cobalt Strike’s beacon, which appears to have originated from Malaysia.
When the researchers reported Vermilion Strike, it
The article Cybercriminals recreate Cobalt Strike in Linux originally appeared on ZDNet.