Tor-Based Botnet Malware Targets Linux Systems, Abuses Cloud Management Tools

Tor-Based Botnet Malware Targets Linux Systems, Abuses Cloud Management Tools
Tor-Based Botnet Malware Targets Linux Systems, Abuses Cloud Management Tools






Malware

We found a botnet malware campaign targeting Linux systems, abusing the Tor network for proxies, and exploiting cloud infrastructure management tools for intrusion.


By: David Fiser, Alfredo Oliveira April 22, 2021Read time:  ( words)






The rise of threats that target Linux has dispelled the myth that there is no malware that goes after the ubiquitous operating system. As Linux attracts more attention from malicious actors, we have also started seeing threats evolving — abusing services like Ngrok and using functions to hunt and kill other competing malware.


Most of the samples we’ve recently been analyzing implement encoding techniques that are not effective in protecting any content but are effective enough to slow down analysis via complex functions and multiple layers of code — making it difficult to find patterns to decode all layers at once. Among those we found in our scans is a botnet malware sample whose full content initially appeared to be Base64 text only, meant to be run piped to Bash. As a result, the shell would interpret the decoded shell script code, which was again encoded in a new layer.


Here we discuss some of the emerging techniques among malicious actors targeting Linux systems: the use of Tor (The Onion Router) through a network of proxies using the Socks5 protocol, the abuse of legitimate DevOps< ..

Support the originator by clicking the read the rest link below.