As I pointed out earlier this year, Linux systems are a popular delivery mechanism for malware. While they’re not the most popular – that distinction goes to HTML and Javascript – don’t think you can ignore them. Linux-based attacks are very much still happening.
Malware delivery mechanisms
When bad actors identify a vulnerability they can exploit, their next move is typically to spread malware to achieve their objectives. When deciding what platforms to employ, hackers have a variety of ways to get malware into systems without attracting attention. This is known as the “hacker’s choice.” And they can also find ways to remain in those systems even longer without being noticed, which is what we’re seeing with advanced persistent crime (APC).
Our researchers have observed that over the previous six months, HTML has been the most common method of malware delivery, with a difference of about 10% between it and Javascript. HTML hit a new high in May.
This isn’t particularly shocking. It appears that every platform, with the exception of XML, which had a minor increase in March and a subsequent decline in April, stayed largely consistent. Given that most malware developers employ and specialize in just one malware delivery platform, this is to be anticipated.
The two front-runners were HTML and Javascript, but LNK also did well. It is now simpler to execute this kind of attack due to the existence of a malicious framework for the distribution of malware with LNK extensions. LNK is a Shell item that opens a different program, folder or file by pointing to it. The Excel formula virus known as eXcelForumla, or XF, infects spreadsheets.
In this case, we recognized CoinMiner as a trojan that performs activities without the user’s awareness. Establishing remote access connections, gathering system information, intercepting keyboard input, injecting further malware into the compromised system, downloading/uploading files, launching denial-of-service (DoS) attacks, running/terminating processes are a few of these actions.
But don’t discount Linux
While Linux wasn’t among the most prevalent malware delivery methods, that doesn’t mean it can’t make an impact. Today, the majority of Linux-based malware attacks are related to crypto-mining. Furthermore, attackers who use this kind of delivery method typically use it to stage attacks, automate authentication attacks, or continue an attack even after a vulnerability has been found and exploited.
If you look at the most prevalent threats on the Linux platform, it’s hardly surprising that Mirai is at the top of the list when we compare the volume of general Linux activity with what we know about Linux-based malware attacks. This botnet has been around since 2016, but six years later, it is still being used, exploited and updated.
The second most common ELF type we saw, BitCoinMiner, reflects more recent trends. The next group of threats are scattered and have a low volume, including Tsunami, Agent and DDoS. However, being low in volume does not always equate to having little impact. So, let’s take a look at other ELF detections that can provide further information about other things that use Linux.
While it’s clear that Miner samples are by far the most frequent ELF detections, several ransomware strains – like AvosLocker, Hive and Vigorf – also use Linux. AvosLocker is a well-known ransomware that is usually distributed and sold on the dark web as ransomware-as-a-service (RaaS). Although AvosLocker was discovered for the first time in July 2021, it has proven difficult for organizations and businesses to combat due to its capacity to be targeted and modified by criminals as they see fit.
Another ransomware variation called Vigorf gained popularity in March 2022 and, in terms of count, overtook both Hive (ransomware) and Miner malware in June. Additionally, Stealthworker, a Golang-based malware that uses brute force and was identified in 2019, is still there, albeit in very small amounts.
Defeating all malware comers
Clearly, it would be unwise to discount the potential impact of Linux-based malware attacks on your network security status. Volume size is not necessarily commensurate with the potential for harm. When it comes to securing your network, you need to be aware of all threats and prepared to defend against them all.
The good news is that in most cases, if you find malware on one of your systems, your SOC team can contain a compromised unit if they can detect and respond to it in near-real time. But this usually requires teams to recognize malicious functionality, which can be hard to do because malware developers specialize in evading detection. This is a good reminder that the basics of cyber hygiene coupled with services like digital risk protection (DRPS), and a comprehensive security mesh approach go a long way toward helping organizations stay on top of malware, regardless of its delivery mechanism.
