Summary
In August 2021, a group of malicious code detectors identified malware roaming the wild that carried out a robustly stealth executable and linkable format (ELF) of Cobalt Strike's beacon. The group named this malware Vermillion Strike. By hijacking Cobalt's Strike Command as well as the C2 (Control) protocol to contact the Control server, Vermillion Strike gained remote access proficiency to write to files, run shell commands and even upload media and text files. According to the code detectors, they believe an entity (or entities) uploaded Vermillion Strike malware from Malaysia.
Implementation of Cobalt Strike by Threat Actors
An incognito threat emulation software, the Cobalt Strike Beacon is an unofficial threat emulator intended for use on Linux and Windows systems to detect a Cobalt Strike.
Developed as a rigorous penetration testing tool, the Cobalt Strike Beacon proved to be an outstanding asset for effectively compromising systems during a penetration testing event. Unfortunately, the same elements that made the Cobalt Strike Beacon so successful also facilitated the ability of threat actors to utilize the port of Cobalt Strike beacon as a way to covertly infiltrate and attack systems.
Vermillion Strike is considered one of the most widespread, brutally stealth threats employing a code that was previously unknown. Threat actors quickly discovered the Cobalt Strike Beacon is highly attractive for hacking purposes because it merges assorted exploitation executions. The more exploitation techniques incorporated into a specific malware, the more opportunities there are available for hackers to manipulate it.
The resulting malware produced by this sophisticated feat of reverse engineering is Vermillion Strike.
YARA Rules and Vermillion Strike
Utilized by red teams with the intent to conduct espionage, Vermillion Strike is a completely original malware code that allows threat actors to remotely extract, manipulate and manage system data without being detected. The group initially discovering Vermillion Strike states that this malware shares code strings with Cobalt Strike that instigates several YARA rules. Similar to a snippet of programming language, YARA rules work exceptionally well to identify samples of malware code by composing summaries of malware lineages according to their binary or textual patterns.
YARA rules cannot be relied on to detect Vermillion Strike. Instead, YARA rules identify Cobalt Strike Beacon samples as Cobalt Strike or other malware, which allows Vermillion Strike to continue running undetected in the background. Vermillion Strike essentially opens backdoors on systems and on Linux, Mac, and Windows machines.
What Happens to Systems Infected with Vermillion Strike?
Performed over both HTTP and DNS, command and control instructions are mostly executed over the DNS to avoid standard defenses scanning HTTP traffic. Reception of commands involves recognition by TXT records and the DNS address. Initially, the beacon receives an IP address after making DNS inquiries of hard-coded subdomains. Without Vermillion strike interfering with the translation requests for IP addresses, the IP address sent in response to a command does not trigger modifications of beacon engagement.
Vermillion Strike not only exploits the use of separate threads to perform remotely controlled tasks but also allows threat actors to avoid suspicion by applying a semaphore to scheduling tasks. In addition, Vermillion Strike interacts with command and control servers via Internet Control Message Protocol (ICMP) ping messages. Functions of ICMP include announcing network errors, timeouts, congestion, and troubleshooting.
Once Vermillion Strike has comprised a network, remote threat actors can do all of the following:
- Upload files to command and control
- Write to files
- Run shell commands
- List files
- Modify working directory
- Access the current working directory
- Initiate commands with the popen function. Threat actors using ()--which is code for popen--can start another process or program
To reduce the risk of Vermillion Strike infecting systems, security researchers have been recommending organizations:
- Keep systems updated and patched across all devices and servers
- Implement/update signature detection software
- For Linux systems, disable root accounts that offer hackers an easy way to read/write and execute unauthorized files.
- Enhance connections and security of SSH logins with an encrypted SSH key
However, these actions do not provide the kind of resolute defense mitigation found in the superior cybersecurity SaaS product provided only by Cyber Threat Sensor AI.
Protecting Your Company with Cyber Threat Sensor: 10 Benefits of CTS-AI
Global organizations know they can depend on our proprietary Cyber Threat Sensor-AI (CTS-AI) to provide the following benefits essential for protection against Vermillion Strike:
- Enforcement of secure account password policy
- Isolation of crucial resources, functions, and systems within network architecture
- Multi-factor authentication (MFA) significantly increases security if one credential is infiltrated. MFA requires threat actors to overcome a second authentication demand before they can hack into a system.
- Detection and prevention of unauthorized behavior emerging on endpoint systems
- Meticulous scanning and auditing of systems, insecure configurations/software, and permissions to identify weaknesses
CTS-AI is powered by artificial intelligence to detect and respond to malware attempting to compromise cloud-based data and AWS applications. Our GTIC implements automated indicator sharing to robustly support our threat detection service administration. In addition, Cyber Threat Sensor's GTIC provides proactive clarity to greatly enhance threat detection, fully supporting our Managed Security Services protecting our customers' sensitive data and systems.
We also strongly recommend MITRE ATT&CK mitigations to substantially reduce the risk of a Cobalt Strike compromise event. For example, vulnerability scanning rapidly detects possible vulnerabilities within software coding that can be easily exploited by threat actors. Employee training classes should be scheduled to help users recognize signs of hackers attempting to manipulate, access, or otherwise infiltrate systems by employing red hat tactics such as spear phishing and phishing, pretexting, baiting, social engineering, voice phishing (vishing), quid pro quo, and tailgating. When employees remain aware and up-to-date on the latest techniques used by threat actors to install malware in company systems, that company can nearly eliminate the financial and reputational consequences of an unauthorized intrusion event.