They all target Linux systems
For a long time Linux has not been seen as a serious target of threat actors. This operating system makes up such a small percentage of the desktop market share compared to Windows, it’s no surprise why threat actors would focus most of their attention on attacking Windows endpoints.
Times are quickly changing though as the next major battleground moves from traditional on-premise Windows endpoints to Linux-based servers and containers in the cloud. For perspective 90% of the public cloud runs Linux.
Attackers are taking note. Some have started to write new malware from scratch exclusively for Linux, while others are adapting their existing Windows malware to target Linux.
Traditional endpoint protection platforms built to secure Windows are struggling to keep up with Linux threats. If you are in the cloud, make sure you have a security solution compatible with Linux systems, both in terms of threat detection and performance.
Below we highlight 10 Linux malware families targeting the cloud that should be on your radar.
It may come as a surprise to some that TrickBot has Linux malware. The popular Windows banking trojan is used as a malware-as-a-service (MaaS) by cybercriminals and nation-state actors mostly in financially motivated campaigns. TrickBot is capable of stealing credentials, spreading through the network, stealing cookies, and deploying ransomware.
At the end of 2019, SentinelOne and NTT reported a new TrickBot threat, called Anchor, which acts as a backdoor and utilizes DNS to communicate with its Command and control (C2) server. In July 2020, researcher Waylon Grange discovered an Anchor sample targeting Linux systems. The Linux variant is not only a backdoor but also has the ability to drop and execute other malware—including the Windows version of TrickBot—with the goal of infecting Windows machines on the same network.
ESET researchers discovered a sophisticated multiplatform backdoor called Kobalos. The malware targeted high-performance computers belonging to prominent endpoint security vendors, internet service providers and universities. Kobalos has advanced features including network evasion and anti-forensic techniques. Once a server is compromised, it can be used as a Command and control (C2) server by other compromised servers. It was later discovered that the victims’ hosts contained an OpenSSH backdoor process intended to steal credentials from incoming connections.
FreakOut botnet infects Linux systems mostly by exploiting known vulnerabilities. Targeted vulnerable servers include Zend Framework, Liferay and TerraMaster network-attached storage (NAS).
Once the attacker has gained access to the system, they download a python script connecting the victim to a Command and control (C2) server so that the attacker can control the compromised machine. FreakOut has been seen performing all types of malicious activities, from cryptojacking, port scanning, and network sniffing, to spreading to other devices in the network via vulnerability exploits, DDoS attacks and open reverse-shell. FreakOut emphasizes the need for regular security updates as well as runtime security.
RansomEXX, a file-encrypting Trojan once only targeting Windows machines, began attacking Linux machines in late 2020 when it emerged as a multiplatform malware. This threat targets various government entities and tech companies. Recent attacks include the Texas Department of Transportation, Brazilian court system, and business technology giant Konica Minolta.
According to the FBI and NSA’s joint alert, Drovorub is the work of APT28, also known as Sofacy or Fancy Bear. Drovorub consists of an implant with a kernel module rootkit, file transfer tool, port forwarding module, and a Command and control (C2) server. Once installed on the victim’s machine, the malware is capable of communicating with the C2 server, downloading/uploading files, executing arbitrary commands with root privileges, and spreading to other hosts on the network. The kernel module rootkit in particular uses various techniques to hide the malware, allowing the implant to stay hidden in the network and attack at any time. Since this threat is associated with a Russian APT group, we assume that its operations targeting Linux are only getting started.
WellMess is a backdoor with both a Windows and Linux version, each possessing similar capabilities that have been updated since the first release of the malware in 2018. The United Kingdom’s National Cyber Security Centre reports that WellMess has been used in several attempts to steal information from companies developing COVID-19 vaccines. This threat is attributed to Blue Kitsune (aka APT29 or Cozy Bear).
Discovered in October 2020 by Juniper Threat Labs, this botnet targets Linux-based servers and Internet of Things (IoT) devices. GitPaste-12 uses several known vulnerabilities to exploit its victims, some of those vulnerabilities being Apache Struts (CVE-2017-5638), ASUS routers (CVE-2013-5948), Tenda routers (CVE-2020-10987), and a WebAdmin plugin for opendreambox (CVE-2017-14135). The botnet hosts malicious code on GitHub and Pastebin for backdoors and cryptomining malware.
IPStorm is another botnet once only targeted at Windows machines but has made the switch to Linux (and also macOS). IPStorm abuses a legitimate peer-to-peer (P2P) to obscure malicious traffic, allowing the attacker to execute arbitrary code on the infected machine. New Linux variants share code with former Windows versions while also implementing new capabilities including SSH brute-force to spread to additional victims on the cloud network.
IPStorm is among the growing list of cross-platform malware written in Golang being used in attacks on Linux cloud servers.
Download the IPStorm Detection & Response Guide.
9. Cloud Snooper
Cloud Snooper is part of a sophisticated attack utilizing a unique combination of techniques to evade detection, while permitting the malware to communicate freely with its Command and control (C2) server through a firewall. Both Windows and Linux hosts have been infected by this campaign. The complexity of this attack gives us reason to believe the threat actors behind the malware are nation-state backed.
10. Cryptojacking Malware
The recent bull market and increased value of cryptocurrencies has attracted a large number of Linux cryptojacking malware targeting cloud environments. This type of attack exploits the large processing power of cloud computing to maliciously mine for cryptocurrency.
There are many types of cryptojacking malware. Some are based on open-source projects like XMRig Miner, while others are developed from scratch such as Kinsing, the latter which is part of an ongoing campaign compromising servers that have exposed Docker API ports. Besides mining for cryptocurrency, Kinsing has other capabilities. It collects SSH credentials to access other cloud servers hosted on the infrastructure, achieves persistence, and implements defense evasion techniques.
Recent attacks have shown that Linux cryptominers will find their way into the production environment. Make sure you have runtime protection to swat them away in runtime.
The cloud threat landscape is home to a number of Linux malware and growing. With a 500% increase in Linux-related malware families in the past decade, cloud environments are a prime attack vector for threat actors. If you currently use the cloud or are soon planning to, keep a close eye on these threats.
Traditional Windows EDRs are having a hard time detecting Linux threats. Intezer Protect is defending cloud environments against the latest Linux threats without slowing down performance. Try our free community edition.