An overview of targeted attacks and APTs on Linux
by GReAT team; Kaspersky Lab, September 10, 2020
https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/
This article gives a high level overview of different APT groups that attack Linux systems.
| Notes |
|---|
| Linux Malware |
| More APT tools are found on Windows than Linux. |
| Linux may give users a false sense of security |
| webshells |
| Linux is an attractive target for attackers |
| Linux computers may be more likely to be unmonitored, unpatched, or lack visibility |
| Linux compromises can be used to pivot internally to Windows/macOS machines. |
| heartbleed |
| Shellshock |
| Barium |
|---|
| Barium (aka Winnti, APT41, Barium) is a Chinese APT group https://securelist.com/winnti-more-than-just-a-game/37029/ |
| MESSAGETAP is Linux Malware used by Barium used to intercept SMS messages from telco systems. https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html |
| 64-bit ELF data miner/sniffer |
| checks for existence of config files keyword_parm.txt and parm.txt |
| attempts to read config files every 30 seconds |
| config files are encrypted with xor with a key containing URL http://www.etsi.org/deliver/etsi_ts/123000_123099/123040/04.02.00_60/ts_123040v040200p.pdf |
| config files will have data containing IMSI and phone numbers and keywords that the sniffer will monitor |
| config files are deleted from disk after consumed by the sniffer |
| implemented with libpcap |
| parses SCTP, SCCP, and TCAP protocols. |
| if a keyword or number is discovered, it logs xor-encrypted data to etc//kw.csv or etc_.cvs. parse errors are logged to /etc//_.dump |
| 8D3B3D5B68A1D08485773D70C186D877 mtlserver is an early sample of this malware. |
| GReAT suspected a C2 tool that may be attributed to Barium that targets Linux systems. Written in Go. Not much info about it. |
| Cloud Snooper |
|---|
| Cloud Snooper is a threat actor reported by Sophos in February 2020 https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf |
| Discovered on AWS-hosted assets |
| contained a rootkit |
| based on Gh0st RAT/NoodRAT https://asec.ahnlab.com/en/62144/ |
| gh0st has been leaked (Windows). https://github.com/sin5678/gh0st |
| it is unclear if gh0st has been multiplatform from the beginning, or developed from the leak |
| implements an LKM rootkit “snd_floppy” that uses a Netfilter hook |
| upon receiving a TCP SYN packet with origin port of 6060, it drops rc4-encrypted (pw YaHo0@) binary to /tmp/snoopy and executes with “callusermodehelper()” and deletes it |
| /tmp/snoopy runs |
| snoopy contains several error messages in Chinese |
| some versions of snoopy are named rrtserver |
| c2 communications are a bespoke algorithm based on rc4 |
| Windows version of the malware contains a typo “Netword” instead of “Network” |
| uses mutexes to avoid running multiple times |
| Equation Group https://securelist.com/?s=equation |
|---|
| American APT group |
| Likely NSA TAO APT |
| Likely responsible for Stuxnet and Flame malware |
| powerful arsenal of implants: EQUATIONLASER EQUATIONDRUG DOUBLEFANTASY TRIPLEFANTASY FANNY GRAYFISH … |
| POSIX-compliant codebase allows cross-platform development |
| DOUBLEFANTASY for Linux; collects system information and credentials, provides general access to a system |
| Hacking Team |
|---|
| Hacking Team was an Italian information technology company that sold intrusion and surveillance software to governments |
| Hacked by Phineas Phisher in 2015. 400gb of data leaked including company data, source code, customer information. |
| leak included DancingSalome (aka Callisto) malware, Adobe Flash exploit (CVE-2015-5119) |
| RCS (remote control system) malware Galileo (aka Da Vinci, Korablin, Morcut, Crisis) had agents for Windows, macOS, and Linux |
| Lazarus |
|---|
| Lazarus (Hidden Cobra) is a North Korean APT group |
| MATA multip-platform malware https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/ |
| uses a pid file as a mutex |
| probably targets linux-based networking gear or IoT devices |
| https://blog.netlab.360.com/dacls-the-dual-platform-rat-en/ |
| stores config in a “hidden file” beginning with dot “$HOME/.memcache” |
| AES encryption of config files using hard-coded key |
| network communication uses layered TLS and RC4 |
| extensible with a plugin system. |
| disguises User-Agent |
| linked with exploitation of Confluence CVE-2019-3396 |
| drops copies of socat |
| scans for port 8291 (MikroTik RouterOS administration interface), sends results to a logging server |
| Manuscript malware shares characteristics with MATA including filename reuse https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF |
| Sofacy |
|---|
| Sofacy (aka APT28, Fancy Bear, STRONTIUM, Sednit, Tsar Team) is a Russian APT group. |
| known to use 0-days and a broad malware set. |
| SPLM (aka CHOPSTICK and XAgent) |
| Linux module named Fysbis |
| code reuse in Windows, Linux, and macOS allude to a sole developer or small team. |
| The Dukes |
|---|
| The Dukes https://securelist.com/the-miniduke-mystery-pdf-0-day-government-spy-assembler-0x29a-micro-backdoor/31112/ |
| Prolific APT group with a lot of malware: PinchDuke, GeminiDuke, CosmicDuke, MiniDuke, CozyDuke, OnionDuke, SeaDuke, HammerDuke, CloudDuke |
| SeaDuke includes a Linux variant |
| The Lamberts |
|---|
| SilverLambert is cross platform Windows and Linux |
| Tsunami |
|---|
| Tsunami (aka Kaiten) backdoor is malware targeting Linux-based IoT devices on a variety of architectures. |
| Tsunami was used in the Linux Mint hack https://securelist.com/beware-of-backdoored-linux-mint-isos/73893/ |
| Tsunami uses the IRC protocol for C2 |
| Two-Sail Junk |
|---|
| in January 2020, a watering hole attack with a full remote iOS exploit chain deployed an imlant named LightSpy |
| LightSpy has version for Windows, Linux, and macOS. https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/ |
| WellMess |
|---|
| possibly used by CozyDuke (APT29) |
| initially documented by JPCERT https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html |
| RAT written in golang. |
| WildNeutron |
|---|
| WildNeutron https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/ |
| WildNeutron aka Morpho or Butterfly |
| Hacked Twitter, Microsoft, APple, and Facebook in 2012-2013 |
| used a custom linux backdoor. |
| Zebrocy |
|---|
| Zebrocy - custom malware seen in 2015 |
| Hardening Linux recommendations |
|---|
| only install sofware from trusted repositories. |
| don’t be doing “curl | sudo bash” |
| make sure update channels use https or ssh, not http. |
| update in a timely manner; perhaps with cron or auto-updates? |
| close unused services |
| firewall services that are required if possible to only accept traffic from trusted sources. |
| use NAT |
| protect locally-stored ssh keys |
| use MFA |
| store and analyze logs; network, system, application. |
| monitor integrity of system configration files and binaries |
| auditd |
| osquery |
| physical security; full disk encryption, safe boot, dont leave your shit unlocked. |
| use EDR |
| audit container usage |