Linux Malware: A Growing Concern for Administrators
Much to the dismay of Linux system administrators and users, 2019 and the first five months of 2020 have been plagued with emerging malware campaigns targeting Linux servers. These attacks have demonstrated new and dangerous tactics for spreading, remaining undetected and compromising servers. Although they constitute a small sample of emerging malware targeting Linux systems, Cloud Snooper, EvilGnome, HiddenWasp, QNAPCrypt, GonnaCry, FBOT and Tycoon are seven prime examples of the rapid evolution of Linux malware in the past year.
Cloud Snooper uses a unique combination of sophisticated techniques to sneak into Linux and Windows servers and communicate freely with command and control servers through firewalls. The malware enables threat actors to open up servers to the cloud “from the inside out”, and is the first example of an attack formula that combines a bypassing technique with a multi-platform payload targeting both Windows and Linux systems. While each individual element of Cloud Snooper’s tactics, techniques and procedures (TTPs) has been observed previously, these elements have not been utilized in combination until now. Security experts predict that this package of TTPs will be used as blueprints for dangerous new firewall attacks.
Just last month - in a sophisticated exploit utilizing Cloud Snooper - hackers pwned Amazon Web Services (AWS) servers, set up a rootkit which enabled them to remotely control servers, then funneled sensitive data to command and control (C2) servers from compromised Windows and Linux machines. Security researcher Willem Mouton describes the attack: “From a technical perspective it is a thing of beauty, also the fact that they made it cross platform.”
Discovered in July 2019, EvilGnome disguises itself as a Gnome shell extension to remain undetected by security software, while spying on desktop users. EvilGnome is delivered via a self-extractable archive created using the makeself shell script, and the infection is automated with the help of an autorun argument left in the headers of the self-executable payload. When downloaded on a Linux system, the malware is capable of stealing files, taking desktop screenshots, capturing audio recordings from the user’s microphone and downloading and executing other modules.
EvilGnome attacks have been linked to the Gamaredon Group, a Russian advanced persistent threat (APT) group notorious for developing custom malware variants. The EvilGnome malware developers and the Gamaredon Group use the same hosting provider, and EvilGnome uses C2 servers connected to domains associated with the Russian threat group. While it has not been confirmed that Gamaredon Group has developed or used any Linux malware to date, tactics and techniques used by the EvilGnome Linux backdoor match those used by the Russian threat group, making a strong case that Gamaredon Group may be broadening its horizons and targeting Linux with its sophisticated attacks.
Early in 2019 security researchers discovered a new strain of Linux malware created by Chinese hackers which could be used to remotely control infected systems. Dubbed HiddenWasp, this sophisticated malware consists of a trojan, a user-mode rootkit and an initial deployment script. It is deployed as a second-stage payload, and is capable of running terminal commands, interacting with the local filesystem and more. HiddenWasp displays similarities to several other Linux malware families including Azazel, ChinaZ and Adore-ng, suggesting that some of its code may have been borrowed. Unlike common Linux malware, HiddenWasp is not focused on DDoS activity or crypto-mining. Rather, it is a trojan solely used for targeted remote control.
This past summer, security researchers identified a rare instance of Linux ransomware targeting network-attached storage (NAS) servers. The malware, which they named QNAPCrypt, is an ARM variant that encrypts all files; however, unlike standard ransomware, the ransom note is delivered solely as a text file, without any message on the screen. Each victim is provided with a unique Bitcoin wallet, a tactic that helps conceal the identity of the attackers. Once a system is infected, the ransomware requests a wallet address and a public RSA key from the command and control server (CC2) before file encryption. This is a major flaw in QNAPCrypt’s design - as it enables victims to temporarily block threat actors’ operations. Despite this weakness, QNAPCrypt represents the “evolution and adaptation of an attack to bypass security controls” - as it isn’t very common for Linux system administrators to deploy endpoint monitoring to network file servers.
GonnaCry is an emerging Linux ransomware variant that is currently under active development for research purposes in Python and C. Lead developer Tarcisio Marinho explains the motivation behind his work: “Since the worldwide spread of the Wannacry ransomware in May 2017 affected so many countries and companies, I kept wondering: Is it really hard to mess with a company’s or a person’s life with a computer? The answer is yes, it’s possible. And ransomware is a computer virus so powerful to do so.”
GonnaCry begins its work by finding the files it will encrypt. Once it has identified these files, the malware starts its encryption routine and then creates a desktop file that will help the decryptor access the path, key and IV used to encrypt each file. The ransomware then frees the memory allocated by the files on the computer. GonnaCry does not rival notorious variants like WannaCry and Petya in complexity, but according to Marinho, “The basic structure is working.”
FBOT is a client variant of the infamous Mirai botnet that targets Linux IoT devices. According to the Malware Must Die! blog, FBOT recently re-emerged after almost a month of inactivity on February 9, 2020, with several technical updates, including advances in its method of infection and increased propagation speed. Malware Must Die! Reflects on the re-emergence of FBOT and the future of Linux IoT malware: “We are in an era where Linux or IoT malware is getting into better form with advantages. It is important to work together with threat intelligence and knowledge sharing, to stop emerging malicious activity before it becomes a big problem for all of us later on.”
Tycoon is an emerging strain of Java-based ransomware that targets both Linux and Windows systems. This dangerous ransomware variant, which was discovered by Blackberry security researchers, uses a little-known file format - making it highly difficult to detect before it detonates its file-encrypting payload. The researchers who discovered Tycoon report that this is the first time they’ve seen a ransomware module compiled into a Java image (JIMAGE) file format. JIMAGE files are rarely scanned by anti-malware engines, and malicious JIMAGE files stand a good chance of going undetected as a result. BlackBerry explains in a blog post, “Malware writers are constantly seeking new ways of flying under the radar. They are slowly moving away from conventional obfuscation and shifting towards uncommon programming languages and obscure data formats.”
BlackBerry researchers say that they have observed roughly a dozen “highly targeted” Tycoon infections over the past six months, and that the attackers appear to carefully select their victims, favoring small- and medium-sized businesses in the software and education industries. However, as is often the case, the researchers suggest that the actual number of infections is likely much higher.