CrossC2 Enables Cobalt Strike to Go Multi-Platform – Linux and macOS Now in the Crosshairs

Cybersecurity researchers at JPCERT/CC have uncovered a sophisticated attack campaign that leveraged CrossC2. This unofficial extension tool enables the notorious Cobalt Strike framework to operate on Linux and macOS systems.

From September to December 2024, attackers employed this multi-platform capability alongside custom malware dubbed “ReadNimeLoader” to penetrate Active Directory environments across multiple countries, signaling a significant evolution in cross-platform cyber threats.

Expanding Attack Surface Beyond Windows

CrossC2 represents a concerning development in the cyberthreat landscape, as it extends Cobalt Strike’s traditionally Windows-focused capabilities to Unix-based operating systems.

The tool, developed in C language and compatible with Cobalt Strike version 4.1 and above, supports both x86 and x64 architectures on Linux systems, as well as Intel and M1-based macOS devices.

The extension operates by forking itself upon execution and retrieving command-and-control (C2) information from its configuration or environment variables “CCHOST” and “CCPORT”.

While publicly available on GitHub, the tool’s source code remains proprietary, and its functionality is deliberately limited compared to the full Cobalt Strike suite.

Security researchers discovered that CrossC2 incorporates multiple anti-analysis features, including string encoding using single-byte XOR operations and extensive junk code insertion to evade detection.

The malware stores its configuration data at the end of the file, encrypted using AES128-CBC without padding, and searches for a “HOOK” string to locate this critical information.

Custom Loader Orchestrates Multi-Stage Attack

The attack campaign’s sophistication becomes apparent through its use of ReadNimeLoader, a custom malware written in the Nim programming language that serves as a loader for Cobalt Strike beacons.

This malware employs a complex execution chain: a legitimate java.exe process loads a malicious jli.dll through DLL sideloading, which then reads and decrypts a data file named readme.txt containing OdinLdr, an open-source shellcode loader.

ReadNimeLoader incorporates four distinct anti-analysis techniques, including PEB debugging detection, CONTEXT_DEBUG_REGISTER checks, timing-based analysis detection, and exception handling verification.

Critically, portions of the decryption key are embedded within these anti-analysis functions, ensuring that the malware cannot be decrypted adequately without executing these evasion mechanisms.

BlackBasta Connection Emerges

Investigation findings suggest potential attribution to the BlackBasta ransomware group, based on several key indicators.

Researchers identified matching C2 domains previously associated with BlackBasta operations, along with similar attack methodologies, including the use of SystemBC remote access trojan, AS-REP Roasting techniques via GetNPUsers, and identical file naming conventions.

The campaign demonstrates the increasing trend of threat actors expanding their operational capabilities beyond traditional Windows environments. With many Linux servers lacking comprehensive endpoint detection and response (EDR) solutions, these systems present attractive targets for initial compromise and lateral movement within enterprise networks.

JPCERT/CC has released a configuration parser tool to assist security professionals in analyzing CrossC2 samples, highlighting the critical need for enhanced monitoring of multi-platform environments in modern cybersecurity strategies.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post CrossC2 Enables Cobalt Strike to Go Multi-Platform – Linux and macOS Now in the Crosshairs appeared first on Cyber Security News.