Shulou(Shulou.com)05/31 Report--

This article introduces the relevant knowledge of "Linux APT attack Analysis". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Windows can run most APT attack tools. At the same time, it is generally believed that Linux systems are more secure and less vulnerable to malicious code attacks. Over the years, Linux has not encountered a large number of viruses, worms and Trojans, but there is still malware in Linux, including PHP backdoors, rootkit, and so on.

The Linux server carries a variety of services that make it the primary target of attackers. If attackers can attack the Linux server, they can not only access the data stored on the server, but also attack the Windows or macOS server connected to it.

Barium

The Winnti APT Group (also known as APT41 or Barium) was first reported in 2013, when they focused on direct economic gains for gaming companies. Their business is expanding, many new tools have been developed, and attacks have become more complex.

MESSAGETAP is the Linux malware used by the team that can be used to selectively block SMS messages from telecom operators. According to FireEye, the organization deployed the malware on the SMS gateway system, infiltrated ISP and telecom companies, and set up a surveillance grid.

Another Barium / APT41 tool has recently been discovered, written in the programming language Go (also known as Golang). It is not clear whether it is a tool for system administration tasks, or whether it is also part of the APT41 toolset. For more details on this tool, see "Suspected Barium network control tool in GO for Linux".

Cloud Snooper

In February 2020, Sophos released a report describing a set of malicious tools, Cloud Snooper. Its core is the server-oriented Linux kernel rootkit, which links to the netfilter flow control function and enables covert C2 (command and control) communication through the firewall. Many samples were found, as well as target servers in Asia. The toolset has been under development since at least 2016.

Equation

Equation was discovered in 2015, its history can be traced back to 2001, as early as 1996 has been involved in a number of CNE (computer network utilization). The team has a strong library of tools. It has been found that "EQUATIONLASER", "EQUATIONDRUG", "DOUBLEFANTASY", "TRIPLEFANTASY", "FANNY" and "GRAYFISH". Equation's innovation is not limited to the Windows platform. The team's POSIX-compatible code base allows development on other platforms. Early DOUBLEFANTASY malware for Linux was discovered in 2015, which collects system information and credentials and provides access to infected computers.

HackingTeam

HackingTeam is an Italian information technology company that sells "surveillance software" to governments, law enforcement agencies and businesses around the world. 400GB's data (including source code and user data) was stolen in 2015 due to data leaks, and these tools were acquired, adapted and used by attackers around the world, such as DancingSalome (aka Callisto). The leaked tools include zero-day exploit (CVE-2015-5119) for Adobe Flash, as well as complex platforms that provide remote access, keystroke logging, regular message logging and penetration, retrieve Skype audio and video, bypass stream encryption, and RCS (remote control system) malware (aka Galileo,Da Vinci,Korablin,Morcut and Crisis).

Lazarus

Researchers discovered an unknown malicious framework, MATA, in late 2018. The framework is used to attack commercial companies in South Korea, India, Germany and Poland and has similarities with Manuscrypt (Lazarus, also known as Hidden Cobra) code.

In June 2020, researchers analyzed macOS samples of Lazarus Operation AppleJeus and TangoDaiwbo used in financial espionage attacks, which proved that the team was actively developing non-Windows malware.

Sofacy

Sofacy (also known as APT28,Fancy Bear, STRONTIUM, Sednit Tsar Team) is an active and productive APT organization. From large-scale zero-day deployments to rich malware sets, Sofacy is one of the top APT organizations monitored by researchers. Sofacy has developed modules for multiple platforms, including the one for Linux in 2016, known as "Fysbis". The samples found on Windows,macOS,iOS and Linux indicate that the core team is modifying and maintaining the code.

The Dukes

Dukes is a complex attack group that was first documented in 2013. The organization targets Chechnya, Ukraine, Georgia, as well as Western governments and non-governmental organizations, NATO and so on. The Dukes toolset includes a fully functional set of malware written in several different programming languages. The team's malware and activities include PinchDuke,GeminiDuke,CosmicDuke,MiniDuke,CozyDuke,OnionDuke,SeaDuke,HammerDuke and CloudDuke.

Lamberts

Lamberts is a highly complex attack organization with a large library of malware, including network-driven backdoors, modular backdoors, collection tools and attacks for destructive attacks. An overview of the Lamberts family was released in 2017, identifying the SilverLambert backdoor for Windows and Linux compilation.

Tsunami back door

Since its first appearance in 2002, Tsunami (aka Kaiten) has become a UNIX backdoor used by multiple attackers and now has more than 70 variants. The source code can be compiled on a variety of embedded devices; and can be applied to ARM,MIPS,Sparc and Cisco 4500 / PowerPC versions, posing a threat to Linux-based routers, DVR and a growing number of IoT (Internet of things) devices.

Turla

Turla, also known as Uroboros,Venomous Bear and Waterbug, is a Russian-language organization that has used hijacked satellite links, flooding government websites and other attacks. Attackers have made significant changes to their toolset over the years, and all malware samples used by Turla before 2014 were designed for 32-bit or 64-bit versions of Windows.

Penguin Turla, the Linux component in the Turla toollibrary, was released in December 2014, and the backdoor does not require an upgrade of privileges. Even if system access is restricted, the backdoor can intercept incoming packets and run commands from the attacker, which is difficult to detect if installed on an infected server. In May, Leonardo researchers published a report on Penguin_x64, a previously unrecorded variant of the back door of Penguin Turla Linux.

Two-Sail Junk

In January 2020, researchers found that LightSpy was fully deployed in a puddle attack using a long-range iOS leak chain. The website is aimed at users in Hong Kong. The project supports Android and may support Windows,Linux and MacOS.

WellMess

In March 2020, researchers began tracking malware called WellMess. The malware, which was first documented by JPCERT in July 2018, may be related to CozyDuke (aka APT29), and current activities are focused on the health care industry. WellMess uses remote access Trojans written by. Net and Go (Golang) to cross-compile compatible Windows and Linux.

WildNeutron

Information on WildNeutron was released for the first time in 2015. The group launched attacks on Twitter,Microsoft,Apple and Facebook in 2012-2013. Their arsenal includes LSA backdoors, IIS plug-ins, and zero-day-based attacks and backdoors. In several known attacks, WildNeutron uses a custom Linux backdoor.

Zebrocy

The malware originally used by Zebrocy is Sofacy, which is similar to other APT groups. The organization develops malware in multiple languages, including Delphi,AutoIT,.NET,C#,PowerShell and Go. Zebrocy is mainly aimed at relevant organizations of the Central Asian government. The organization widely uses phishing to attack Windows. Its back door communicates with the Web server through port 80. The organization uses Linux as part of its infrastructure, especially Apache 2.4.10, which runs on Debian Linux.

Linux system protection recommendations

1. Maintain a list of trusted sources for the software

2. Secure access to applications must be encrypted using HTTPS or SSH protocols

3. Check the network-related settings, filter out all unnecessary open ports on the host, avoid using unnecessary or unused network applications, and set the firewall correctly.

4. Use passwords to protect locally stored SSH keys (for network services)

5. Regularly monitor the integrity of major configuration files and system binaries to prevent file virus infection.

This is the end of "Linux APT attack Analysis". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.