BSidesSF 2022 - Rise of the Vermilion ... (Avigayil Mechtinger • Ryan Robinson)

okay it's 1 30 and we have two amazing speakers here avi and ryan um they have been uh they worked in tesser i believe and also our security researchers of malware so that should be fun um and uh it's a cobalt strike beacon type right implementation re-implementation okay here you go we're here to explain about it so okay cool so hi everybody we're very excited to be here um welcome to the rise of the vermillion crossbar from kabul strike beacon targeting linux and windows this talk is based on a research we conducted during august august 21. i'm avigil i'm a product manager at inteser before that i was part of the research team and i focused on malware

analysis and threat hunting thank you very much i'm ryan i'm a researcher with in telser on the previous rules i was a security engineer on the researcher and anomalies threat research team first we agenda of what we're going to be talking about today so um cobalt strike itself because um this is really the popularity of this tale is why a vermilion strike has come about so a bit of background around that is good to uh understand then avi is going to talk about the uh the linux malware frat landscape so you know why is linux being targeted and who is targeting that and then we're going to talk about vermilion strike in sort of more detail itself so the

background and then uh sort of brief technical uh analysis of some of the code that's inside at hand and then there's some stuff that we can actually learn from that and we'll chat about that and then we'll wrap up the talk as well at about 25 minutes so what is cobalt strike and um if you look at kind of the website or the marketing material it says it's software for adversary simulations and team uh operations if that doesn't really clear it up for you um the way i'd freeze it is that it's a malware framework um and it doesn't include just like the actual malware payload itself but the like command and control infrastructure around it comes with it

and clients the sort of generate payloads and also it's basically the fill capabilities you would need in the simulating adversary stuff so the components inside it there's the bacon and the bacon comes in two parts there's a stager and then there's the full back door what the stager is it's usually a small piece of shell code that will reach out to a c2 server and then it'll download the main back door execute that in memory so well not every attack uses a stager you can have something just go straight in with the back door but it's slightly easier to detect there are things called loaders and what loaders are is there's just a huge amount of like code

snippets or scripts that you can take as a loader and that will either execute a stager or a back door not sort of to help you um then there's the team server which i'll say somebody else just the whole command and control infrastructure a cobalt strike and you log into the team server using the client and then the clients what you see in the screenshot there and that's where you generate your payloads from so that's in short and sort of a couple trick looks like at like a high level um it's very very popular so it is um you know it has great features hard to detect often in memory payloads pretty easy to configure swap out c2s

things like that for payloads and say no basically whatever target you're trying to go for you can get the quite a lot of payloads to handle each specific uh case um command control is handled you know everything's encrypted and all you don't really need to implement that yourself um and i say hard to uh attribute and more so the reason for that is that there are now so many people using cobalt strike that it creates a bit of a spartacus effect you know where you can't really tell out of the noise who exactly this is so here are the intended users of cobalt strike the real intended users are red teams and you know red teams will get a licensed version

from the maintainers and they'll use that to simulate the attacks on their company and then what they learned from those attacks they can patch those vulnerabilities but unfortunately we also have what is uh adversaries that use a cobalt strike as well and um you what they will get is not a licensed version usually but a cracked version that they'll get online and then use them in cyber uh operations where do they get it from well quite simply every time there's like a new version of kobold strike released honestly within like a matter of weeks or sometimes even days there'll be a cracked version online and you can get this like on github pretty easily or and it wouldn't

surprise me if it's on sort of dark web markets or stuff that you could over tour as well um so it's been in the news a lot and honestly you don't really need to go far you can just do a sort of google search and you'll see many things like this it's been used by scrub kitties up to uh nation state sponsored trad actors you know and you get news stories like that like european diplomats being targeted with it and all it's really i could have replaced these with like a 100 different news stories it's all over the place really um what's the history between uh behind cobalt strike on using it for linux officially

there is none so the maintainers of couple strike help systems release the blog a couple years back busy saying like this is a windows only payload but it really doesn't stop a few um smart sort of programmers you know creating a linux based payload for that so notable examples there's one called geekin and it uses golang to implement beacon and you can have elf payload to that um there's another one called cross c2 framework and then like really funny was there was someone on twitter had managed to run the windows version of beacon and linux using a wine emulator so i did so i think it kind of half works there um so until you help me for market

thanks okay cool so now that we have some background about cobble strike um let's talk about the linux um malware threat landscape and this will help us to connect all the duct dots together so the linux market share the desktop world is really really low it's approximately two percent however the situation is quite the opposite um when speaking about cloud servers where linux is the predominant operation system which makes sense because of the of the nature of it however this really affects the linux um maori fit landscape is because we see many many coin miners and botnets okay um which again makes sense because they are designed to take advantage of computing powers and the attackers behind of these malware

they just want to spread to as many victims as possible okay so these malware usually are not targeted now we also see ransomware which are usually targeted and delivered to file hosting servers such as qnup and ransom and vmware esxi servers which can refer to ransom ex which was a quite popular like a few months ago and lastly less populated let's say frequently documented are backdoors which are targeted and usually the adversaries behind these backdoors are nation state now the nation state that historically been documenting targeting linux are russia north korea and china now an interesting fact here is that most of the tools most of the linux malware that was developed by nation state has at least

one other version that targets other operation systems so for example we have apt-29 in russia which have the wellness malware that targets both linux and windows uh for north korea we have the lazaros group um they have decals the targets linux windows and mac and also they have a manuscript that we found targeting linux and windows and for china we have the winter group they have backdoors for linux and windows and also the blacktech group they have ts cookie and pleid both of which were first discovered targeting windows and after a while they were found targeting linux as well cool so we have some background about coba strike we have some background about linux malware let's connect all

the dots together and talk about our research so one day we got this set um for a file an elf file from our thread hunting tool and we uploaded it to our system which is integer analyzer um and from the analysis we saw three interesting things okay this screenshot is taken from our platform which is integer so the first thing that we saw which is super interesting again this is an elf sample and it shares strings with cobble strike now as ryan mentioned before there is no official version of colbert strike for linux okay so this was by its own very very interesting uh second of all um the file shared like about 94 um of previously unseen code okay so the

code that we see here that is marked as vermilion um it the screenshot was taken after we marked the code okay i'll i'll just explain a bit about integer so um integer has a really really big database containing trusted and malicious code now every file that is uploaded to our system is divided into chunks of code and compared against our database so the fact that the file had a very very large percentage of previously unseen code is a huge indicator that this file might be written from scratch and lastly we saw network related capabilities um such as resolve dns um socket stuff and so on which was again really interesting all those things together so in virustotal it had zero detections

um which is not really a decision differentiator when speaking of linux malware and we'll talk about that um later however the name of the binary was was a bit odd um x11 jtk now x11 is a graphical environment for unix and jtk widget libraries now it makes sense each x11 jtk they come together however when searching for the exact binary name in google and in virustotal we got no results another interesting thing that this file got triggered by our rules written by florian ross detecting corporal strike which kind of aligns with the string we use that we've seen an integer platform so all of this together made us really really happy as researchers because we

know that we have something really interesting in our hands and uh we started to dive deeper technically okay so um just sort of dive deeper into the file let's just jump straight in they give a macro sort of high level view when vermilion is executed it will demonize itself in the background it'll then decode its configuration import rsa key that later uses for encryption it'll fingerprint the machine and it'll start the c2 loop which is largely what coupled strike does since just a re-implementation of that so for the configuration um simple zor cipher hack 69 which is quite a common uh value used might be the default for one of the versions of cobblestrike and what's quite interesting is since

it's the exact same configuration as you saw like the arrow rules headphones you can use some cobblestrike configuration parsers and it'll handle it completely fine even though it's sitting inside of an elf file and you can still see is that the windows artifacts still exist in the linux version so as we're talking about before once you start seeing stuff that's for windows but inside and health file you know if you're really looking for a red flag for what is a suspicious well that's probably quite a good one a highlight just in the top there that is the c2 or so there are multiple c2s configured for the file um so when it fingerprints the machine

very simply collect stuff like the process id kernel version network on the user piece that all together in a big string and then encrypt that and then have that staged strategy for being sent off to the c2 for command control it is dns in his tdp but primarily dns that's that's what it goes for at the start um and the commands are received over address and the tax records so attacks as if the c2 wants to send sort of information down that that will decode that and then run the command for it what was also really interesting was that there was code inside the file for icmp communication but there was no way they actually got that so

it's either a feature that's still in development or else they went to develop it and then just kind of like kind of dropped it so pretty interesting when it came to commands it can change the directory it can list the present working directory list files in your directory it can write the file send the file to the c2 execute a command or it can even get a summary of the minded disks for the machine so you know looking in this sort of grabbing some ioc stuff from the configuration you know you start to try to pivot you know we fully understand what the file does so whenever we pivoted on the c2 address or the two of

them there what we found was a windows stager file that reached out to the same one and when we actually ran that stager file it used powershell to download and execute a payload in memory and then we found out what that payload was was the windows version of vermilion strike and what was pretty funny was that it had been detected back in 2019 so it was you know a few years later and there was a tweet from silas cutter it was a sort of interesting code strike sample and turned out to be that vermilion strike one the functionality it's largely the same so if you look at one of the functions on the left it's done on itself and then

on the right the windows version of vermilion so this is the code in the configuration so from like a graphical higher level it's pretty much the same as what's going on you're able to use the cmc too for all the the systems in the wild so we partnered up with mccoffee enterprise atr we provided them iocs and they queried it against their telemetry and the results were quite interesting we saw that vermilion strike actively targeted high-profile companies around the world this includes advisory companies financial institutions i.t government agency um and telecom now with that being said um it was still specific okay we didn't see many many samples and we didn't see many many victims

so as for attribution we know that this is a backdoor we know that it's written from scratch we know that it targets both windows and linux and it was found in live attacks around the world but yet targeted now based on historical knowledge we can assess with high probability that vermilion strike was developed by a high profile adversary specifically probably a nation state however we couldn't attribute it to a specific one so the windows version of vermilion strike got a nice amount of detections by security vendors in virustotal but the linux version got none although it had string reviews with global strike and it triggered er rules which i think are probably publicly available and this raises the question of why

linux malware fly under the radar let me show you this screenshot taken from ubuntu's official website it has the title do i need antivirus software and i marked two sentences first sentence anti-virus software does exist for linux but you probably don't need to use it second whatever the reason linux viruses are so rare that you don't really need to worry about them at the moment so this misconception leads to low demand for linux and malware detection which shifts away security vendors from spending time and resources on linux detection which leads to these scenarios this is a mirai sample mirai is one of the most popular botnets around targeting linux it has many variant variants its source code was released

publicly a while back and the developer of this sample added a spice of sophistication and obfuscated some functions and strings and this is the result none of the security vendors in virustotal detected it and i find this really really disturbing and this is one of the takeaways from our talk is that we really should um spend time with detecting linux malware we should it is it is around okay and integer is rapidly uh posting blogs about it and we're going to post another research very very soon i think two or three or so yeah okay so um sort of as sort of wrap up you know how would you protect yourself um against the vermilion strike

um for the windows version it's a memory only payload so you see you have to make sure that you have antivirus or uh edr even like a endpoint scanner it's able to get that in memory um or you can you can get it by the stager as well so the stager we found it was also a unique code so we're pretty happy to say that if that stager is there then you're probably infected with vermilion strike as well um the linux version a way more simple there's no stager for that that can be found on desk um some of the cobbled strike methods for detection you can use that for vermilion strike as well and um

you know and we saw that with like the arrow rules and all and you can also get it uh by the network since it's communicating in the background with a couple strike c2 you know those sort of uh other methods will work as well um for protections for the future really it's uh well so for cobblestrike itself it will probably remain quite a big um frat uh for the windows space i could still be in minty and there's still new versions coming out and then cracks like following that pretty soon after you can get that online and it still seems to work pretty well so it does um vermilion strike is a bit hard to say

as we find you know the code for the windows version hadn't changed since 2019 it hadn't affected too many people but it was still active when we found it so it's been going for a few years and they haven't been detected so why not a couple more um but one thing we are pretty certain is that the cross-platform malware will uh continue and we see quite a lot especially you know with the rise of cloud and all um the incentive for targeting both windows and linux is still there and what that always says thank you very much and if anyone has any questions that's the qr code for the blog there [Applause]

okay thank you abby and ryan um we got a few minutes for questions questions anybody anyone okay well i have a question i guess real quick um so clam av could that detect it it's on linux and okay we need to test it i don't know yeah put a signature for uh clam av on that i mean from from moving forward yeah of course um okay cool cool yeah i love linux backwards and forwards so they would see that on servers right yeah uh aws probably okay so anybody questions beyond me all right well um thank you very much for your time and i really do appreciate you sharing your knowledge so let's give it a round of applause for

these folks awesome awesome thank you [Applause]