Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

When It Comes to Security, Don’t Overlook Your Linux Systems

As I pointed out earlier this year, Linux systems are a popular delivery mechanism for malware. While they’re not the most popular – that distinction goes to HTML and Javascript – don’t think you can ignore them. Linux-based attacks are very much still happening.

As I pointed out earlier this year, Linux systems are a popular delivery mechanism for malware. While they’re not the most popular – that distinction goes to HTML and Javascript – don’t think you can ignore them. Linux-based attacks are very much still happening.

Malware delivery mechanisms

When bad actors identify a vulnerability they can exploit, their next move is typically to spread malware to achieve their objectives. When deciding what platforms to employ, hackers have a variety of ways to get malware into systems without attracting attention. This is known as the “hacker’s choice.”  And they can also find ways to remain in those systems even longer without being noticed, which is what we’re seeing with advanced persistent crime (APC).

Our researchers have observed that over the previous six months, HTML has been the most common method of malware delivery, with a difference of about 10% between it and Javascript. HTML hit a new high in May.

This isn’t particularly shocking. It appears that every platform, with the exception of XML, which had a minor increase in March and a subsequent decline in April, stayed largely consistent. Given that most malware developers employ and specialize in just one malware delivery platform, this is to be anticipated.

The two front-runners were HTML and Javascript, but LNK also did well. It is now simpler to execute this kind of attack due to the existence of a malicious framework for the distribution of malware with LNK extensions. LNK is a Shell item that opens a different program, folder or file by pointing to it. The Excel formula virus known as eXcelForumla, or XF, infects spreadsheets.

In this case, we recognized CoinMiner as a trojan that performs activities without the user’s awareness. Establishing remote access connections, gathering system information, intercepting keyboard input, injecting further malware into the compromised system, downloading/uploading files, launching denial-of-service (DoS) attacks, running/terminating processes are a few of these actions.

Advertisement. Scroll to continue reading.

But don’t discount Linux 

While Linux wasn’t among the most prevalent malware delivery methods,  that doesn’t mean it can’t make an impact. Today, the majority of Linux-based malware attacks are related to crypto-mining. Furthermore, attackers who use this kind of delivery method typically use it to stage attacks, automate authentication attacks, or continue an attack even after a vulnerability has been found and exploited.

If you look at the most prevalent threats on the Linux platform, it’s hardly surprising that Mirai is at the top of the list when we compare the volume of general Linux activity with what we know about Linux-based malware attacks. This botnet has been around since 2016, but six years later, it is still being used, exploited and updated. 

The second most common ELF type we saw, BitCoinMiner, reflects more recent trends. The next group of threats are scattered and have a low volume, including Tsunami, Agent and DDoS. However, being low in volume does not always equate to having little impact. So, let’s take a look at other ELF detections that can provide further information about other things that use Linux.

While it’s clear that Miner samples are by far the most frequent ELF detections, several ransomware strains – like AvosLocker, Hive and Vigorf – also use Linux. AvosLocker is a well-known ransomware that is usually distributed and sold on the dark web as ransomware-as-a-service (RaaS). Although AvosLocker was discovered for the first time in July 2021, it has proven difficult for organizations and businesses to combat due to its capacity to be targeted and modified by criminals as they see fit. 

Another ransomware variation called Vigorf gained popularity in March 2022 and, in terms of count, overtook both Hive (ransomware) and Miner malware in June. Additionally, Stealthworker, a Golang-based malware that uses brute force and was identified in 2019, is still there, albeit in very small amounts.

Defeating all malware comers

Clearly, it would be unwise to discount the potential impact of Linux-based malware attacks on your network security status. Volume size is not necessarily commensurate with the potential for harm. When it comes to securing your network, you need to be aware of all threats and prepared to defend against them all.

The good news is that in most cases, if you find malware on one of your systems, your SOC team can contain a compromised unit if they can detect and respond to it in near-real time. But this usually requires teams to recognize malicious functionality, which can be hard to do because malware developers specialize in evading detection. This is a good reminder that the basics of cyber hygiene coupled with services like digital risk protection (DRPS), and a comprehensive security mesh approach go a long way toward helping organizations stay on top of malware, regardless of its delivery mechanism.

Written By

Derek Manky is chief security strategist and global vice president of threat intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. He provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...