The original Cobalt Strike is a penetration testing tool used by so-called red teams – and also by threat actors. There is an official version for Windows.
In a detailed blog post, Intezer's Avigayil Mechtinger, Ryan Robinson and Joakim Kennedy said they had found the software in August, with a fully undetected ELF implementation of Cobalt's Strike beacon.
It was christened Vermilion Strike and the trio said it was as yet undetectable by current scanning engines on the VirusTotal database.
Last year, there were reports that the source code for Cobalt Strike had been leaked on Microsoft's software code repository, GitHub.
"The stealthy sample uses Cobalt Strike’s Command and Control (C2) protocol when communicating to the C2 server and has Remote Access capabilities such as uploading files, running shell commands and writing to files," Mechtinger, Robinson and Kennedy wrote.
The researchers said they had used telemetry from anti-virus vendor McAfee Enterprise ATR and concluded that this Linux sample had been active in the wild since August.
The targets were telecommunications companies, government agencies, IT companies, financial institutions and advisory companies around the world.
"Targeting has been limited in scope, suggesting that this malware is used in specific attacks rather than mass spreading," they added.
Later, after further analysis, Mechtinger, Robinson and Kennedy said they had found Windows samples that used the same C2 server, adding that the Linux and Windows variants has the same functionalities.
"The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor," they said.
Mechtinger, Robinson and Kennedy also provided a technical analysis of the Linux file and its links to Windows files, as also indicators of compromise.