Malware

A new Linux Botnet abuses IaC Tools to spread and other emerging techniques

A new Linux botnet uses Tor through a network of proxies using the Socks5 protocol, abuses legitimate DevOps tools, and other emerging techniques.

Researchers from Trend Micro have spotted a new Linux botnet employing multiple emerging techniques among cyber-criminals, including the use of Tor proxies, the abuse of legitimate DevOps tools, and the removal or deactivation of competing malware.

Experts highlighted that this Linux botnet downloads all the files it needs from the Tor network, including legitimate binaries like ssps, and curl. Botmasters maintain a big network of proxies that receive the connection coming from the surface web.

The malware also performs HTTP requests using shell script and Unix system design to get more information on the infected systems.

The malware leverages a network of proxies to convert the requests to the Tor network before reaching out to the server and retrieving the files. The proxies are used to send identifiable information about the infected system, including:

  • IP addresses (randomized external and hashed internal)
  • The operating system architecture
  • The username currently running the script
  • A part of the uniform resource identifier (URI) identifying the file to be downloaded (which is architecture-dependent)
  • The file to be saved, where -o indicates the file name that should be saved (also randomized)
  • The host name running the script

“We also discovered that most of the proxy servers used have open services with multiple vulnerabilities. These might be indicative of previous exploitation and deployment of the Tor proxy service without the knowledge of the server owner.” reads the analysis published by Trend Micro. “That the proxy service was always disabled after a while in our weeks-long monitoring of the proxies suggests that this is the case.”

The malware analyzed by the experts could run on different architectures using Linux-based OS, a circumstance that suggests that the botnet was involved in a wider campaign targeting Linux systems.

This is the first bot that abuses the infrastructure-as-code (IaC) tools, such as  AnsibleChef, and Salt Stack. for spreading.

The botnet is currently involved in cryptocurrency mining activity, it delivers the XMRig Monero (XMR) miner onto the infected machines. The binary includes a configuration file and unlike other cryptocurrency miners, it uses its own mining pool instead of public pools to make tracking attackers even more difficult. 

“This malware sample does not need other software; the Linux operating system is the only requirement for the malware to run and spread. It downloads the essential tools (ss, ps, curl) because not every environment targeted for infection has them and it’s likely that the user doesn’t have the necessary permissions to install them on the system (as in the case of containers),” Trend Micro concludes. “Their weaponization of IaC tools suggests that these malicious actors are also well aware of the adoption of new technologies nowadays.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Linux botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

9 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

13 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

18 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

21 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

2 days ago

This website uses cookies.