![]() ![]() ![]() This new variant featuring Linux malware also includes technical overlaps with Windows DLL files, offering the same abilities as command-and-control servers, suggesting that the same hacker may be responsible. The malware is fully undetected in VirusTotal at the time of this writing and was uploaded from Malaysia.” “The stealthy sample uses Cobalt Strike’s Command and Control (C2) protocol when communicating to the C2 server and has Remote Access capabilities such as uploading files, running shell commands, and writing to files. While Vermilion Strike uses no part of Cobalt Strike’s code, it comes with an identical configuration format to the authentic Windows beacon and is able to communicate with any Cobalt Strike server. They explained that the Cobalt Strike ELF binary (also known as VirusTotal) discovered was entirely undetectable by today’s anti-malware solutions. Intezer’s research team first identified the beacon activity last month, entitling it Vermilion Strike. Utilising these beacons, malicious operators can now obtain persistent access and remote command execution on not just Windows machines but those running Linux as well. However, a new report issued by security researchers at Intezer has explained how threat operators have managed to create Linux beacons that are fully compatible with the penetration tester. While Cobalt Strike has proved a useful tool for a wide range of cybercriminals, it has long had one weakness – previously, it had only ever supported devices using Windows operating systems and had not included Linux beacons. The limitations of Cobalt Strike as a hacker tool Over the years, copies of Cobalt Strike that have been cracked by hackers have been acquired and shared among other threat actors, making it now among the more common weapons used in modern cyberattacks that lead to stolen data and ransomware infections. Utilising beacons, ransomware gangs can later enjoy access to breached servers, allowing them to exfiltrate data or deploy more malware payloads onto systems. However, Cobalt Strike has also been witnessed being used by cybercriminals such as ransomware operators who have corrupted its original purpose, before employing it to execute post-exploitation actions.Īfter Cobalt Strike beacons have been deployed, threat actors are empowered with continuing remote access to company devices that have been compromised. Known as “Red Teams”, these groups probe their company’s infrastructure and defences seeking out potential vulnerabilities, back doors, and other gaps in security. Corruption of a useful cybersecurity toolĪ legitimate tool designed for penetration testing, Cobalt Strike is used as a framework by cybersecurity experts acting as attackers. The threat operator is behind the development remains unknown, but experts have confirmed that the version of Cobalt Strike has been custom-built from the ground up. An unofficial hacker-built Linux version of a Cobalt Strike beacon has been identified by cybersecurity researchers being actively deployed in attacks aimed at international organisations. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |