Linux systems are cybersecurity kings, but on a historic first, tech researchers have found a variant of a widespread malware, a favorite of Chinese hackers, have been discovered in a Linux system.
The discovery was made by researchers from the Chronicle, Alphabet’s cybersecurity department. The researchers revealed that they found a Linux variant of the Winnti malware that works as a backdoor on infected hosts, granting attackers access to compromised systems. It was the malware used by Chinese hackers in the high-profile cybercrime against a Vietnamese game company in 2015.
Chronicle researchers said that they discovered the malware following the news that Bayer, one of the biggest pharma company in the world, had been hit by Chinese hackers, and the Winnti malware was discovered on its servers.
After the team scanned Bayer’s system using its VirusTotal platform, they found what appeared to be a Linux variant of the Winnti, dating back to 2015 when it was first used by Chinese hackers to attack a Vietnamese gaming company.
According to the Chronicle, the malware that they have discovered comes in two parts: a rootkit to disguise the malware in the infected host and the actual backdoor Trojan. Further analysis the discovered Linux variant of the Winnti malware bears a lot of similarities to the malware’s Windows version. Other connections with the Windows version also included the similar way in which the Linux variant handled outbound communications with its command-and-control (C&C) server — which was a mixture of multiple protocols (ICMP, HTTP, and custom TCP and UDP protocols).
“As with other versions of Winnti, the core component of the malware doesn’t natively provide the operators with distinct functionality. This component is primarily designed to handle communications and the deployment of modules directly from the command-and-control servers. During our analysis, we were unable to recover any active plugins. However, prior reporting suggests that the operators commonly deploy plugins for remote command execution, file exfiltration, and socks5 proxying on the infected host. We expect similar functionality to be leveraged via additional modules for Linux,” said the researchers in their comprehensive report.
Lastly, the Linux version, just like the Window’s version, also has the ability for Chinese hackers to initiate communication with the infected host without going through the C&C servers – distinct characteristics in Windows Winnti.
“This secondary communication channel may be used by operators when access to the hard-coded control servers is disrupted,” Chronicle researchers said in a report published last week.
While infecting Linux systems is something already done especially by American and Russian hackers, it is also extremely rare, as pointed out by the Chronicle.
“Clusters of Winnti-related activity have become a complex topic in threat intelligence circles, with activity vaguely attributed to different codenamed threat actors. The threat actors utilizing this toolset have repeatedly demonstrated their expertise in compromising Windows-based environments. An expansion into Linux tooling indicates iteration outside of their traditional comfort zone. This may indicate the OS requirements of their intended targets, but it may also be an attempt to take advantage of a security telemetry blindspot in many enterprises, as is with Penquin Turla and APT28’s Linux XAgent variant,” added Chronicle.
Meanwhile, malware have become one of the most common tools to attack computer systems, even those of public institutions. A few days ago, ten Europeans were indicted for the malware attacks that have victimized several businesses and government agencies in the U.S.
The ten people who were charged were allegedly involved in the malicious software attacks that infected tens of thousands of computers and caused more than $100 million in financial losses, the US and European authorities announced Thursday last week.
The victims of the malware attacks included a Washington law firm, a church in Texas, a furniture business in California and a casino in Mississippi.
The charged individuals are now facing conspiracy to commit computer fraud, conspiracy to commit wire and bank fraud and conspiracy to commit money laundering.
The investigation started following the dismantling of a network of computer servers, known as Avalanche, which hosted more than two dozen different types of malware. The Justice Department had successfully taken their operation apart in 2016.
Officials reveal that the malware in the current court case has infected more than 41,000 computers by disguising as legitimate messages or invoice and was sent as spam emails. Once the email was opened, hackers will be able to record all keystrokes in the infected computer, sweeping data like baking information and wire money away from the victim’s account.