CrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks

SUMMARY :

From September to December 2024, incidents involving CrossC2, an extension tool for Cobalt Strike Beacon on Linux, were confirmed. The attacker used CrossC2 along with other tools like PsExec, Plink, and Cobalt Strike to penetrate AD. A custom malware called ReadNimeLoader was used as a loader for Cobalt Strike. The campaign may have affected multiple countries. CrossC2 is an unofficial Beacon and builder compatible with Cobalt Strike 4.1+, designed for Linux and macOS. It contains anti-analysis features and encrypted configuration data. The attack flow involved java.exe, ReadNimeLoader, and OdinLdr to execute Cobalt Strike Beacon. Other tools used include SystemBC, GetNPUsers, and privilege escalation tools. The campaign shows potential connections to BlackBasta based on similar characteristics.

OPENCTI LABELS :

cobalt strike,macos,linux,systembc,psexec,readnimeloader,crossc2,ad,odinldr


AI COMMENTARY :

1. Introduction: The CrossC2 campaign that unfolded between September and December 2024 represents a significant evolution in the use of Cobalt Strike Beacon for cross platform attacks. Originally known as a penetration testing framework for Windows environments, Cobalt Strike has now been extended by CrossC2 to target Linux and macOS systems. Security teams across multiple regions observed distinct stages of intrusion leveraging a novel loader and a suite of open source tools to escalate privileges and move laterally through Active Directory environments.

2. CrossC2 Capabilities and Features: CrossC2 is an unofficial Beacon variant compatible with Cobalt Strike 4.1 and later. It offers encrypted configuration storage and anti analysis measures intended to foil sandboxing and forensic inspection. Designed to operate on Linux and macOS hosts, the tool can deliver Beacon payloads with minimal footprints, evading traditional Windows centric detection. Its builder component streamlines the creation of customized payloads, making it accessible to adversaries seeking cross platform persistence.

3. Attack Flow Detailed: The adversary initiated compromise by abusing existing administrative utilities. A java.exe process launched ReadNimeLoader, a custom malware acting as a loader for the Cobalt Strike Beacon. ReadNimeLoader decrypted its embedded payload and handed execution to OdinLdr, a second stage loader. This sequence culminated in the deployment of the Cobalt Strike Beacon, granting initial foothold on targeted assets. Following this, the attacker employed PsExec and Plink to pivot from Windows jump boxes into Linux or macOS systems using CrossC2. Active Directory accounts were harvested through GetNPUsers and other account enumeration tools before escalating privileges.

4. Supporting Tools and Malicious Modules: Beyond CrossC2, the attacker leveraged SystemBC for proxying and secure communication channels, enabling Beacon callbacks disguised as legitimate network traffic. Privilege escalation was facilitated by a variety of open source scripts, while lateral movement relied on PsExec and Plink tunnels. The ReadNimeLoader and OdinLdr duo illustrate a custom loader chain that bypasses endpoint security solutions by operating within trusted processes. Each tool in the campaign was selected to maximize stealth and operational flexibility across Windows, Linux, and macOS platforms.

5. Scope, Impact, and Attribution: The campaign affected organizations in multiple countries, though exact figures remain under investigation. Indicators of compromise share striking similarities with tactics attributed to the BlackBasta ransomware group, including the use of custom loaders and AD abuse. While no definitive ransom demands have been linked to this activity yet, the alignment of operational patterns suggests a possible connection or shared tooling. Security operations centers should treat this campaign as highly sophisticated and potentially resourced by a well funded actor.

6. Threat Intelligence Implications: The emergence of CrossC2 underscores a growing trend of cross platform offensive frameworks. Security teams must adapt detection strategies beyond the Windows ecosystem and account for Linux and macOS specific threats. Encrypted configurations and anti analysis functions warrant improved telemetry on process spawning and memory patterns. Collaboration across platforms will be essential to build intelligence on evolving loader chains and communication protocols.

7. Mitigation and Detection Strategies: Defenders should enforce strict application allowlists on Linux and macOS hosts to block execution of unauthorized binaries. Monitoring for abnormal invocation of java processes and unusual child process hierarchies can reveal ReadNimeLoader activity. Network analytics tuned to SystemBC and CrossC2 communication signatures will help detect Beacon callbacks. Hardening Active Directory by implementing multi factor authentication and restricting PsExec and Plink usage will limit lateral movement opportunities.

8. Conclusion: The CrossC2 expansion of the Cobalt Strike Beacon toolkit marks a pivotal moment in threat actor innovation. By adapting a traditionally Windows centric framework for Linux and macOS, adversaries gain broader reach and persistence. Continuous threat intelligence sharing, enhanced cross platform monitoring, and proactive defense measures are critical to counter this emergent threat and safeguard diverse enterprise environments.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


CrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks