Tag

Linux Malware

All articles tagged with #linux malware

security1 month ago•13 min saved

VoidLink: A Cloud-Native Linux Malware Framework Targets Cloud and Containers

Check Point Research details VoidLink, a modular, cloud-first Linux malware framework designed for long-term access in cloud and container environments. Written in Zig, it features a two-stage loader, an in-memory plugin system with 37 default plugins, a web-based C2 dashboard, and adaptive stealth that tailors behavior after detecting cloud providers (AWS, GCP, Azure, Alibaba, Tencent). It supports multiple command-and-control channels (HTTP/HTTPS, DNS, ICMP) and even a potential mesh network, plus rootkit capabilities (LD_PRELOAD, eBPF, LKM) depending on kernel version, anti-analysis and self-deletion measures, and a broad plugin ecosystem for post-exploitation tasks. The framework appears to be under active development—likely commercial—raising the need for defenders to harden Linux, cloud, and container environments; as of publication, no real-world infections had been observed.

via Check Point Software|

#cloud-security #container-security #linux-malware

cybersecurity1 year ago•1 min saved

"Rapid Deployment of Custom Linux Malware via 1-Day Exploits by Magnet Goblin Hacker Group"

A financially motivated threat actor known as Magnet Goblin is exploiting known vulnerabilities to target public-facing services and deliver custom malware to unpatched Windows and Linux systems, including recently discovered Ivanti Connect Secure VPN flaws. The group deploys custom Windows and Linux malware, such as NerbianRAT and MiniNerbian, and leverages legitimate remote monitoring and management tools. Researchers have observed the group's quick adoption of 1-day vulnerabilities to deliver their custom Linux malware, targeting areas that have been left unprotected.

via Help Net Security|

#1-day-vulnerabilities #custom-malware #cybersecurity

cybersecurity1 year ago•2 min saved

"Rising Threat: Magnet Goblin Exploits 1-Day Vulnerabilities to Install Linux Malware"

Researchers have discovered a previously unseen Linux variant of the NerbianRAT malware, which has been circulating for at least two years and is installed through the exploitation of recently patched vulnerabilities. The malware, attributed to the threat actor Magnet Goblin, is used to steal credentials and has been deployed through 1-day vulnerabilities in various software, including Ivanti Secure Connect, Magento, and Qlink Sense. Checkpoint Research also identified a smaller version of the malware, MiniNerbian, used for backdooring servers running the Magento ecommerce platform. The Linux version of NerbianRAT lacks protective measures and has been observed stealing VPN credentials and connecting to attacker-controlled IPs.

via Ars Technica|

#1-day-exploits #checkpoint-research #credential-stealer

cybersecurity2 years ago•2 min saved

"Exploiting 1-Day Flaws: Magnet Goblin Hackers Deploy Custom Linux Malware"

The financially motivated hacking group Magnet Goblin is exploiting 1-day vulnerabilities to deploy custom malware on Windows and Linux systems, targeting devices and services such as Ivanti Connect Secure, Apache ActiveMQ, ConnectWise ScreenConnect, Qlik Sense, and Magento. The group uses custom malware including NerbianRAT and MiniNerbian, with a Linux variant of NerbianRAT identified. Check Point warns that identifying such threats among the volume of 1-day exploitation data is challenging, emphasizing the importance of quick patching and additional security measures to mitigate potential breaches.

via BleepingComputer|

#1-day-vulnerabilities #check-point #cybersecurity

cybersecurity2 years ago•2 min saved

SprySOCKS: The Latest Linux Malware Unleashing Cyber Espionage Attacks

Chinese hacker group Earth Lusca has been targeting government agencies worldwide with a new Linux backdoor called SprySOCKS. The malware, which originated from the Trochilus Windows malware, has been adapted for Linux systems and combines features from other malware. Earth Lusca exploits n-day vulnerabilities to gain initial access and deploys Cobalt Strike beacons for remote access. The SprySOCKS loader is dropped to establish persistence and perform various malicious activities, including collecting system information, starting an interactive shell, managing SOCKS proxy configurations, and conducting basic file operations. Organizations are advised to apply security updates to prevent compromise from Earth Lusca.

via BleepingComputer|

#cyber-espionage #cybersecurity #earth-lusca