Researchers have discovered a new Linux version of the often abused red-team Windows hacking tool Cobalt Strike Beacon that was coded from scratch and has so far eluded all VirusTotal antivirus detections. Dubbed Vermilion Strike, the ELF-formatted malware follows in the footsteps of geacon, an open-source Golang-based version of Beacon.
According to researchers at Intezer, the firm that uncovered Vermilion Strike, security professionals are likely to see more Linux-friendly versions of hacking tools and services as malicious developers rapidly respond to the trend of organizations migrating to cloud-based services and environments. That’s especially true as infosec teams struggle to detect such threats due to an overemphasis on Windows malware, a lack of effective solutions for protecting data centers, and the immaturity of sandboxes.
“The need to create malware for Linux is becoming an increasing necessity for cybercriminals,” Intezer security researcher Ryan Robinson told SC Media. “Data, operations, applications are all being hosted on the cloud now as opposed to desktop computers. This change means that cybercriminals need to modify their toolsets to operate within this Linux-dominated environment.”
Moreover, the idea of conducting Linux-based attacks against data centers is especially alluring, said Brian Baskin, manager of threat research at VMware. “Instead of infecting [one] employee's system and hoping to navigate to a high-value target, they are targeting the entirety of systems within an organization. A single compromised server can impact hundreds of endpoints at once,” he explained.
Developers who already have the source code for the Windows version of a weaponized tool or malware program can more easily pivot to creating a Linux version because “a lot of the logic involved can stay the same and the only parts that need to be changed are those that interact with the operating system directly,” Robinson added. “This reduces the development time instead of having to write malware from scratch.”
For good measure, the creators of Vermilion Strike also created their own Windows-based re-implementation of the tool. Having both implementations in their possession would allow users to more easily target and compromise hybrid organizations that operate on a mix of Windows and Linux, said Robinson. “Both the Windows and Linux versions [of Vermilion Strike] contact the same IP address. This means that the attacker does not have to create a separate [C2] infrastructure for Linux and for Windows. It streamlines their operations,” he explained.
Though it has legitimate purposes, Cobalt Strike is a popular post-exploitation pen testing tool that attackers can use to further compromise a victim with its Beacon agent. The addition of a new Linux version further complicates the threat landscape because it makes the prospects of detection even less likely. Robinson said this is because the endpoint security market remains largely focused on Windows endpoints, despite Linux becoming more prominent of late.
“Windows desktop users make up most of the total desktop market share, compared to the roughly 2% market share held by Linux desktop users,” said Robinson. “Security companies try to adapt their Windows tools to fit the Linux platform but Linux is very different. These solutions are not as effective at detecting Linux threats, but they also tend to slow down performance, which is why companies are hesitant to install EDRs/AVs on their cloud systems. After all, the reason for moving to the cloud is speed and scalability.”
This philosophy could change, however, as cloud adoption becomes even more popular and common. IT departments know full well that that servers in the cloud are “cheaper to develop through Linux” because the OS is open-source and free, said Robinson. Plus Linux is more convenient for developers because “many best practices in software development, such as creating containers and new technology, are designed to work on Linux.”
Another reason it’s hard to detect Linux threats is due to “the immaturity of Linux malware analysis sandboxes,” combined with the fragmented nature of Linux distributions, Robinson added.
“A malware compiled for Red Hat might not be able to execute on an Ubuntu distro. Sandboxes might try to run malware unsuccessfully due to this issue and therefore not detect any malicious activity,” Robinson noted. (The sample of Vermillion Strike that Intezer found was built on a Red Hat Linux distribution.)
Baskin also noted that security pros don’t have nearly as many options to protect their Linux-based data centers as they do their endpoints. “The realm of data center maintenance has evolved to be a very specific, rare skillset,” he added.
Another problem that impedes detection is that it can be difficult to distinguish malicious attacks from legit activity: “Recent behavior shows a move from very targeted attacks by sophisticated adversaries that leveraged Linux operating system internals to simpler malware that uses built-in commands used regularly for controlling the services,” said Baskin. “This raises the issue that many malicious attacks that use built-in tools mimic a legitimate system administrator. There is little difference between the operations of an adversary and those of an advanced system administrator. Due to this, the behavior that can be targeted as malicious by security solutions is very limited.”
To help address some of these challenges, Robinson suggested relying on signatures or detection based on string-based attributes. “Even as the code may completely change from porting a Windows sample over to Linux, some of the strings and configuration profiles stay the same, which can be detected,” he said. Moreover, he recommended improving the sandboxing for Linux such that threats can be “dynamically analyzed and unpacked. This may come in the form of creating a more diverse set of environments with different Linux distributions in which to execute Linux files.”
Robinson also suggested that the security community keep an eye on other open-source Linux malware projects in development, as well as research surrounding these tools. “Information such as this can be leveraged to create a Linux tool that contacts a Cobalt Strike server. These types of resources can greatly help the security community implement defenses and detections of their own,” he said.
Indeed, Baskin agreed that more extensive research of modern Linux-based attacks, and adversary behavior, is needed. “Providing security practitioners with the right visibility and tools to monitor the environment, understanding what is normal and either leveraging existing detections or creating very organization-specific preventions is the key to minimizing the successfulness of these tools,” he said.
In collaboration with McAfee Enterprise ATR, Intezer has determined that Vermillion Strike has been active in the wild since August 2021. In a company blog post, Intezer reports that the malware has been used against telecom companies, government agencies, IT companies, financial institutions and advisory companies in limited targeted attacks taking place globally.
"The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor," the report states.