Malware Targeting Linux Operating Systems

Summary

A trend in malware being developed to specifically target Linux systems is being observed in the wild. Previously, malware targeting Linux was relatively scarce and primitive in comparison to other proprietary operating systems. Due to this, many organizations believed Linux to be a highly secure operating system and serves as the most common operating system across multi-cloud environments. Up to 78% of websites are powered by Linux (according to DarkReading) creating a significant vulnerability for organizations operations.

Introduction

Linux, an open-source operating system, has been known for several security advantages over Windows operating systems. The open-source code enables all users to find bugs and exploits leading to quick identification of potential security vulnerabilities and potential malicious activity. Additionally, root access is highly restricted, and the source code provides programmers with the ability to segment working environments increasing cyber security vigilance. These capabilities have made it difficult for threat actors to gain access to sensitive information on Linux operating systems. This led threat actors to view Windows operating systems as easier targets with a higher return on investment.

As Linux has been integrated into more critical areas of businesses and cloud services such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platforms, threat actors have reevaluated the return on investment in targeting Linux. Currently, there are over 11 active ransomware groups targeting Linux operating systems through vulnerabilities and penetration testing tools such as Cobalt Strike and Vermilion Strike with new malware, cryptojacking, and ransomware. These threat actors include LockBit, AvosLocker, ALPHV, Luna, Nevada, RansomEXX, BlackBasta, GwisinLocker, RedAlert, Cheerscrypt and Royal.

New Malware:

Medusa, a new botnet, is being downloaded via the Mirai botnet targeting Linux users. The new botnet has the ability to perform malicious activities such as Distributed Denial of Service (DDoS) attacks, ransomware, brute force attacks, download additional payload, and can steal sensitive information from the victims’ machine. The Medusa Botnet can launch DDoS attacks on various levels of the network hierarchy, including Layer 3, Layer 4, and Layer 7. These attacks can be carried out either by using spoofed IP addresses or the IP address of the victim’s machine where the client is installed. The botnet employs the spoofer() function to generate random IP addresses, making it challenging for the victims to determine the origin of the DDoS attack. The ransomware attack function searches all the directories for files with specific extensions and then encrypts them. Additionally, brute force attacks on Telnet services running on internet-connected devices use the ScanWorld function. This function performs a brute force attack and can inject an additional payload. With the growing popularity of Linux machines, threat actors are developing and improving their methods for attacking these systems.

BoldMove, a Chinese based malware, was created to exploit FortiOS CVE-2022-42475 that was disclosed to the public in December 2022. The BoldMove backdoor is written in C and comes in two versions, a Windows version and a Linux version, that the threat actor appears to have customized for FortiOS. When executed, the Linux version of the malware first attempts to connect to a hardcoded command-and-control (C2) server. If successful, BoldMove collects information about the system on which it has landed and relays it to the C2. The C2 server then relays instructions to the malware that ends with the threat actor gaining full remote control of the affected FortiOS device. Evidence of exploited activity associated with the malware was occurring as early as October 2022. Targets have included a government entity in Europe and a managed services provider in Africa.

IcedID, also known as BokBot, involves threat actors moving at an alarming rate from compromising a system to lateral movement within a system. The attackers started a lateral movement within the infected network within one hour of infection and compromised the Active Directory of an unknown target within 24 hours. The attackers used Information System Owner (ISO) and Windows shortcut (LNK) files instead of traditional phishing-based attacks that delivered macro-based documents. Opening the ISO file on the victim’s device creates a virtual disk. This virtual disk carries only one single file – an LNK file linked to a batch file. Upon execution, the batch file drops a dynamic link libraries (DLL) file and executes it with rundll32.exe. This established a connection with the IcedID-related domain, from where the IcedID payload is downloaded. Within a few minutes of infection, the attacker scans the entire network via net.exe to gather information about the domain, members of the admin group, and the workstation. The attackers, in this incident, stole the credential of a service account of the target via Kerberoasting and moved laterally to an internal Windows Server where the Cobalt Strike beacon was deployed. Within one hour of the initial infection, the attackers were observed performing lateral movement across the entire targeted network using Windows Management Instrumentation (WMI). The rapid speed of the entire operation and the use of legitimate tools allowed IcedID to dodge several security barriers. For protection against such attacks, experts recommend the use of both signature-based and behavior-based anti-malware solutions.

Kinsing, a Linux-based malware with a history of targeting containerized environments for crypto mining, is now infiltrating Kubernetes clusters. Kinsing operators are known to exploit vulnerabilities like Log4Shell and more recently Atlassian Confluence RCE (CVE-2022-26134) to breach targets and establish persistence. Additionally, they are attempting to exploit vulnerabilities in PHPUnit, Liferay, Oracle WebLogic, and WordPress apps for initial access. Recent reporting indicates an increase in activity in two specific delivery methods: exploitation of vulnerable images and of weakly configured PostgreSQL. The surge in activity suggests threat actors are now actively looking for specific entry points.

IceFire, a ransomware that previously only targeted Windows systems, is being deployed by exploiting a vulnerability in IBM Aspera Faspex file sharing software known as CVE-2022-47986. Once the ransomware is on the victim’s machine, it targets specific paths avoiding critical system paths to remain undetected before encrypting files and adding the ‘.ifire’ extension to the filename before deleting itself and removing the binary. IceFire has impacted victims in Turkey, Iran, Pakistan, and the United Arab Emirates, which are typically not a focus for organized ransomware actors. However, it is likely that the threat actors are targeting the middle east to improve the ransomware code and execution before deploying in other nations.

Conclusion: What Linux Users Should Know

Threat actors now view Linux operating systems as prime targets because they are used for critical areas of business. Organizations should be aware of this shift in targeting Linux systems and establish standard security best practices to minimize access for threat actors. Further, Linux user awareness around social engineering should be an organizational focus as users need to be trained to increase cyber security vigilance. Additionally, companies should inventory all their Linux-based systems and develop a Linux-based security approach to protect against different threats.

The Critical Start Cyber Threat Intelligence (CTI) team will continue to monitor the situation and work closely with the Threat Detection Engineering (TDE) team and the SOC to implement any relevant detections. For future updates, the CTI team will post via ZTAP® Bulletins and on the Critical Start Intelligence Hub.

References: