Security research company, Intezer, has detected a Linux based unofficial Cloud strike beacon that seems to be targeting telecom companies, government agencies, IT companies, financial institutions and advisory companies around the world. This Cloud Strike beacon has been custom coded from scratch by hackers. It was first detected and seem to have been uploaded from Malaysia. The company has named this beacon -Vermilion Strike.
Until now, Cloud Strike is being used by penetration testers for malware attacks on networks and hosts. It did not have a Linux based beacon. The newly detected Linux based beacon works on a Red Hat distribution. It also complies with Windows based beacon. The threat actors have made the new beacon attacks broaden with Linux and Windows based launch of attacks.
The bad part about this latest threat is that it is not detected by Virus Total, the biggest malware scanner engine on the world. And, it has been at play since August. The threat level is high since the intent of the beacon may include espionage and theft of critical and proprietary data. This is a really a covert operation with a high level impact for the Governments and companies with multi-nation operation.
Most reliable and top level malware scanners are unable to find the beacon file generated on the Linux platform. Intezer, was however, able to detect the beacon at work. Both, Linux and Windows versions of the Vermilion strike can be detected by Intezer. You may read how the beacon attaches itself to hosts and attacks the target in the detailed study posted by Intezer on its blog. Intezer has devised a tool that will detect the latest Cloud Strike beacon.
This is what Intezer stated on its study –
Based on telemetry with collaboration from our partners at McAfee Enterprise ATR, this Linux threat has been active in the wild since August targeting telecom companies, government agencies, IT companies, financial institutions and advisory companies around the world. Targeting has been limited in scope, suggesting that this malware is used in specific attacks rather than mass spreading.
After further analysis, we found Windows samples that use the same C2. The samples are re-implementations of Cobalt Strike Beacon. The Windows and ELF samples share the same functionalities.
The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor.
This beacon can pose threats by:
This beacon runs targeted tasks in a separate thread and it could:
- Change working directory
- Get current working directory
- Append/write to file
- Upload file to C2
- Execute command via popen
- Get disk partitions
- List files
Continuous monitoring is the only available safeguard against the Cobalt Strike’s Vermillion strike beacon. On its part, Intezer has posted possible resolution of the threat through the following approach:
If you are a victim of this operation, take the following steps for attack mitigation:
Kill the process and delete all files related to the malware.
Make sure that your machine is clean and running only trusted code using a runtime security platform like Intezer Protect, or use Intezer Analyze Endpoint Scanner for Windows systems.
Make sure that your software is up-to-date with the latest versions and security patches and configured to security best practices.
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.