Autonomous SOC PlatformAutomating Forensic Analysis for Linux Endpoints
TL;DR We just released a new version of our popular endpoint scanner for Linux machines, so the Autonomous SOC platform can immediately...
FBI Takedown: IPStorm Botnet Infrastructure Dismantled
UPDATE NOVEMBER 2023: IPStorm Infrastructure Dismantled by FBI The FBI today revealed US law enforcement’s dismantlement of a botnet proxy network, along...
Detection Rules for Lightning Framework (and How to Make Them With Osquery)
On 21 July, 2022, we released a blog post about a new malware called Lightning Framework. Lightning is a modular malware framework...
Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware ⚡
Lightning Framework is a new undetected Swiss Army Knife-like Linux malware that has modular plugins and the ability to install rootkits. Year...
OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow
Linux is a popular operating system for servers and cloud infrastructures, and as such it’s not a surprise that it attracts threat...
Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat
Symbiote is a new Linux® malware we discovered that acts in a parasitic nature, infecting other running processes to inflict damage on...
Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike
Key Findings Discovered Linux & Windows re-implementation of Cobalt Strike Beacon written from scratch Linux malware is fully undetected by vendors Has...
Guide to Digital Forensics Incident Response in the Cloud
Enterprises today rely on a wide range of cloud services—infrastructure as a service (IaaS), platform as a service (PaaS), software as a...
Cloud Security Fundamentals: Servers to Containers & Everything In-Between
With Linux being the operating system for 96% of the cloud, the landscape has changed beyond endpoint detection. Intezer Protect is built...
2020 Set a Record for New Linux Malware Families
Intezer’s 2021 X-Force Threat Intel Index Highlights It was a lot of fun collaborating with IBM on their 2021 X-Force Threat Intelligence...
ELF Malware Analysis 101: Part 3 - Advanced Analysis
Getting Caught Up to Speed So far in this series we have profiled the ELF threat landscape and covered the most common...
Top Linux Cloud Threats of 2020
We tagged 2019 as The Year of the Linux Threat. That trend continued in 2020 with high profile APTs launching ELF malware,...
Not Another Linux Security Blog
Blogs about Linux cloud security are nothing new. However, most are filled with technical jargon that can make them difficult to understand....
CVE-2020-16995: Microsoft Azure Network Watcher Linux Extension EoP
Intro In our last blog post we disclosed an escalation of privileges vulnerability in Microsoft Azure App Services. In this post, we’ll describe...
Exploiting a Vulnerable Version of Apache Struts
Code execution is the key ingredient in any successful cyber attack. Exploiting a misconfiguration or vulnerability are some of the more common...
Looking Back on the Last Decade of Linux APT Attacks
APTs are targeting Linux systems more than they ever have. Linux Attacks are on the Rise The research community continues to witness...
ELF Malware Analysis 101 Part 2: Initial Analysis
Introduction In the previous article we profiled the ELF malware landscape and explained how malware infects systems. We discussed the current lack...
ELF Malware Analysis 101: Linux Threats No Longer an Afterthought
Linux has a large presence in the operating systems market because it’s open-sourced, free, and software development oriented—meaning its rich ecosystem provides...
Mapping Binaries Inside a Microsoft Azure Cloud Server
Linux has become the “go-to” OS in cloud computing, running 90% of the public cloud workload. Linux usage has even surpassed Windows...
Kaiji: New Chinese Linux malware turning to Golang
It is not often that you see a botnet’s tooling written from scratch. The Internet of things (IoT) botnet ecosystem is relatively well-documented by...
Intezer Analyze community roundup
Maze ransomware, APT41 and Lazarus highlight this month’s community samples 1. More_eggs variant with low Antivirus detections has modified string encoding mechanisms...
Pre-runtime vulnerability scans or runtime protection: Which is better for your IaaS security?
Under Armour’s famous slogan sums up the mission perfectly: We Must Protect this House. As adoption of cloud services continues, security teams...
TTPs matrix for Linux cloud servers
Checklist for protecting your Linux cloud servers against cyber attacks Taking inspiration from the MITRE ATT&CK® framework, we have developed a matrix categorizing...
Evasion Techniques Dissected: A Mirai Case Study
Code reuse analysis vs. signature-based detection We are often asked the question, “what sets your approach apart from other malware detection solutions?”...
Linux Rekoobe Operating with New, Undetected Malware Samples
Introduction Our research team has identified new versions of an old Linux malware known as Rekoobe, a minimalistic trojan with a complex CNC...
Intezer Analyze Community: 2019 Recap and Trends
Emotet, Trickbot, and Lazarus were the most common threats detected by the community in 2019. Linux threats, with code connections to Mirai,...
2019: A Year-in-Review
What an amazing year it has been for us at Intezer! The company nearly doubled in size, we added several new important...
ChinaZ Updates Toolkit by Introducing New, Undetected Malware
Introduction ChinaZ is a Chinese cybercrime group and the author of several DDoS malware. We have profiled this group in a previous...
Genetic Malware Analysis for Golang
Intezer Analyze now proudly supports genetic analysis for files created with the Golang programming language. Community and enterprise users can detect and...
ACBackdoor: Analysis of a New Multiplatform Backdoor
Introduction We have discovered an undetected Linux backdoor which does not have any known connections to other threat groups. VirusTotal detection rate...
PureLocker: New Ransomware-as-a-Service Being Used in Targeted Attacks Against Servers
Analysis by Intezer and IBM X-Force points its origins to a Malware-as-a-Service (MaaS) provider utilized by the Cobalt Gang and FIN6 attack...
Russian Cybercrime Group FullofDeep Behind QNAPCrypt Ransomware Campaigns
Introduction We previously reported on how we managed to temporarily shut down 15 operative QNAPCrypt ransomware campaigns targeting Linux-based file storage systems...
Why we Should be Paying More Attention to Linux Threats
In a previous post we wrote for the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC), we discussed the emergence of...
Intezer Analyze Community: GonnaCry, HawkEye, BXAQ and More
In July, Intezer Analyze community detections included GonnaCry ransomware, the HawkEye malware kit, and BXAQ, the spyware that Chinese authorities have been...
Watching the WatchBog: New BlueKeep Scanner and Linux Exploits
Intro to WatchBog Cryptomining Malware WatchBog is a cryptocurrency-mining botnet that was spotted as early as November 2018. The group is known...
EvilGnome: Rare Malware Spying on Linux Desktop Users
Introduction Linux desktop remains an unpopular choice among mainstream desktop users, making up a little more than 2% of the desktop operating system...
How We Seized 15 Active Ransomware Campaigns Targeting Linux File Storage Servers
Introduction It is rare to see ransomware being used to target the Linux operating system. However, cyber criminals seem to adapt to...
Intezer Analyze Community: BlackSquid, RobbinHood Ransomware and More
1) BlackSquid [Link to Analysis] BlackSquid is a Monero crypto-miner which was recently discovered by researchers at Trend Micro. According to Trend...
HiddenWasp and the Emergence of Linux-based Threats
This blog post was featured as contributing content for the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC). The Linux threat...
Executable and Linkable Format 101 Part 4: Dynamic Linking
This is the 4th post in our Executable and Linkable Format (ELF) 101 series, where the goal is to spread awareness about the...
Chinese APTs Rising: Key Takeaways from the Intezer Analyze Community in May
1) Pirpi (APT3) [Link to Analysis] APT3, commonly referred to as Gothic Panda, TG-0110 and Buckeye, is a Chinese cyber espionage group...
HiddenWasp Malware Stings Targeted Linux Systems
Overview • Intezer has discovered a new, sophisticated malware that we have named “HiddenWasp”, targeting Linux systems. • The malware is still...
Top Five Community Uploads | April 2019
This month’s Intezer Analyze community findings include malware employed by two cyber espionage groups linked to the Russian government and an endpoint...
Top Five Community Uploads | March 2019
Last month I published a blog post highlighting notable uploads made by the Intezer Analyze community during the month of February. In...