Threat Actors Leverage CrossC2 to Extend Cobalt Strike to Linux and macOS

JPCERT/CC verified a number of events in which threat actors were seen using CrossC2, an unofficial extension tool that creates Cobalt Strike Beacons that work with Linux and macOS.

This campaign, which targeted Active Directory (AD) infrastructures, involved the use of CrossC2 alongside established tools such as PsExec for lateral movement, Plink for SSH tunneling, and native Cobalt Strike payloads.

Further analysis revealed the integration of a custom loader dubbed ReadNimeLoader, written in Nim, which facilitates in-memory execution of Cobalt Strike via DLL sideloading.

Evidence from VirusTotal submissions indicates that this operation extended beyond Japan, impacting organizations in multiple countries.

The attackers exploited Linux servers as potential entry points, capitalizing on the frequent absence of endpoint detection and response (EDR) systems in such environments, thereby enabling deeper network penetration and persistence.

Overview of the Attack Campaign

CrossC2, developed in C and compatible with Cobalt Strike version 4.1 and later, supports x86, x64, and M1 architectures on Linux and macOS.

Upon execution, it forks a child process to handle core operations, retrieving C2 details from embedded configurations or environment variables like CCHOST and CCPORT.

While it executes a subset of Cobalt Strike commands, CrossC2 incorporates anti-analysis measures including single-byte XOR string encoding and extensive junk code insertion, which can be neutralized by patching specific byte sequences with NOP instructions.

The configuration is appended to the binary, encrypted with AES-128-CBC (no padding), and located by scanning for the “HOOK” tag using readlink and fread functions.

Notably, CrossC2 Beacons are UPX-packed by default, requiring configuration removal for successful unpacking before reinsertion.

The Cobalt Strike deployment chain begins with a legitimate java.exe invoked via Task Scheduler, which sideloads ReadNimeLoader disguised as jli.dll from the C:$Recycle.Bin directory.

ReadNimeLoader decrypts a readme.txt file containing OdinLdr, an open-source shellcode loader that decodes and executes the embedded Cobalt Strike Beacon in memory.

ReadNimeLoader employs sophisticated anti-debugging techniques, such as checking PEB’s BeingDebugged flag, CONTEXT_DEBUG_REGISTERS, timing differentials exceeding 0x512, and exception handler verification.

Decryption keys are dynamically generated from these routines, combined with XOR-decoded strings, and processed via AES-256-ECB for payload extraction.

OdinLdr further evades detection by periodically re-encrypting the Beacon with random XOR keys and storing it in heap memory prefixed with “OdinLdr1337”. Variations exist where ReadNimeLoader directly executes the Beacon without OdinLdr.

Analysis Support

Attackers supplemented their arsenal with ELF variants of SystemBC for proxying communications, GetNPUsers for AS-REP Roasting attacks, and Windows privilege escalation utilities.

Attribution points to a potential connection with the BlackBasta ransomware group, evidenced by shared C2 domains, file naming conventions like jli.dll and readme.txt, and tactical overlaps including SystemBC and AS-REP exploitation, as noted in prior Rapid7 reports.

To aid investigations, JPCERT/CC has released a Python-based configuration parser on GitHub for extracting CrossC2 details from Linux and macOS binaries.

This tool decodes encrypted configurations, revealing C2 servers, public keys, and other artifacts. As Linux servers increasingly become blind spots in enterprise defenses, heightened monitoring and EDR deployment are recommended to mitigate such multi-platform threats.

Indicators of Compromise (IOCs)

AWS Security Services: 10-Point Executive Checklist - Download for Free