A recently observed malware botnet targeting Linux systems is employing many of the emerging techniques among cyber-criminals, such as the use of Tor proxies, legitimate DevOps tools, and the removal of competing malware, according to new research from anti-malware vendor Trend Micro.
The researchers say the malware is capable of downloading all of the files it needs from the Tor anonymity network, including post-infection scripts and legitimate, essential binaries that might be missing from the environment, such as ss, ps, and curl.
With the help of these tools, the malware can make HTTP requests, gather information about the infected system, and even run processes.
To perpetrate the attacks, the threat actor behind the botnet maintains a big network of proxies to maintain connections between the surface web and the Tor network.
[RELATED: Emotet Botnet Disrupted in Law Enforcement Operation ]
In addition to converting requests, these proxies send various information about the victim systems, including IP addresses, architecture, username, and part of the uniform resource identifier (URI) to establish which architecture-dependent binary to download.
The abused proxy servers have vulnerable open services, suggesting exploitation without the knowledge of the server owner. During their investigation, Trend Micro’s researchers discovered that the proxy service was always disabled after a while.
The Linux malware can run on a multitude of system architectures, with the initial script designed to perform several checks on the target before downloading additional files and continuing the infection process.
Thus, Trend Micro believes that the threat actor behind the botn ..
Support the originator by clicking the read the rest link below.
