With 90% of the cloud powered by the Linux operating system, it's predictable that malware would follow — and it certainly has. However, most modern security tools are designed to solve Windows-based threats, leaving huge gaps in protection and more questions than answers when it comes to understanding Linux-based malware, its threat to multi-cloud environments, and what organizations can do about it.

With this in mind, VMware's Threat Analysis Unit recently set out to study the growth of Linux-based malware and its threat to multi-cloud environments. The findings are captured in VMware’s Menacing Malware: Exposing threats lurking in your Linux-based multi-cloud report. VMware’s threat researchers spoke with SC Media about the report during a recent webcast. The research is further covered in an upcoming SC Special Focus report.

This article, the first in a series, focuses on some of the characteristics that make Linux malware so persistent.

Sophisticated cloud-management tools

Linux-based malware manages to persist for a variety of reasons. In targeting cloud infrastructure, for example, it uses sophisticated cloud management tools to shut down virtualized systems so that they can encrypt systems, workloads, and data.

It is also fairly easy to adapt techniques long used against Windows systems to target Linux. For example, the ransomware gang HelloKitty moved from Windows systems to Linux by developing new versions of their software used in previous attacks.

"We've also seen how open Docker infrastructure and open Kubernetes infrastructure can be leveraged to deploy new [malware] components," said Giovanni Vigna, senior director of threat intelligence at VMware.

Ransomware tactics

Another example of Linux malware’s persistence: Ransomware has evolved to target host images. Defray777, for example, encrypts host images on VMware ESXi servers. Other families of ransomware that target Linux systems include Erebus, GonnaCry, and eCh0raix.

The research team identified considerable code sharing by analyzing malware, including associated shell and Python scripts and binaries. This included such widespread malware as DarkSide and BlackMatter, and ViceSociety sharing code fragments with REvil.

The researchers further identified the capabilities of the Linux-based ransomware and correlated them to the MITRE ATT&K framework. They found defense evasion, obfuscated files or information in 59% of the samples, system information discovery in 18%, and de-obfuscated/decoded files or information in nearly 11% of samples.

Corruption of Cobalt Strike

Threat actors are also deepening their foothold into Linux-based cloud environments by hijacking commercial software.

For example, researchers discovered more than 14,000 active Cobalt Strike Team Servers on the Internet since February 2020. Cobalt Strike was one of the first public red team command-and-control frameworks. In 2020, HelpSystems acquired Cobalt Strike to add to its Core Security portfolio and pair with Core Impact. Today, Cobalt Strike is the go-to red team platform for many U.S. government, large business, and consulting organizations.

It's also become a go-to platform for the bad guys: The total percentage of cracked or leaked Cobalt Strike customer IDs is 56 percent, according to the VMware report. This means that more than half of the Cobalt Strike users are utilizing illegitimately obtained versions of the commercial software.  

Learn more about the threat Linux-based malware poses

Knowing the core characteristics of this under-addressed type of malware is an essential starting point for organizations looking to bolster their Linux security posture. Similarly, it’s important to understand what Linux-based malware does once it successfully infiltrates an environment—we’ll cover this in our next article.

To continue exploring this topic in the meantime, download VMware’s full report or listen to SC Media’s webcast with VMware on the report’s findings.