Understanding the Rising Tide of Linux Threats - VMRay

Securing the Penguin: 
Understanding the Rising Tide of Linux Threats

Q3 – 2023

Explore the evolving Linux threat landscape: zero-day vulnerabilities, stealthy botnets, and covert supply-chain attacks demand vigilant defenses.

Table of Contents

Let’s explore the intricate landscape of Linux threats, a growing concern for corporations, government entities, and individual users alike. As the prevalence of Linux in high-profile targets increases, so does the sophistication of threats. Ransomware takes center stage, targeting valuable data from these entities, with Linux users facing a spectrum of attack vectors. From zero-day vulnerabilities demanding expertise to stealthy botnets like P2PInfect, and supply-chain gambits revealing covert threats, this chapter unveils the diverse challenges in the realm of Linux security.

The rise in Linux malware is particularly alarming, given the operating system’s prevalence in high-profile targets, including corporations and government agencies, which often run their systems on Linux. VMRay’s Linux feature is timely, addressing the increasing threats in this area, predominantly ransomware, aiming to exploit data from these lucrative entities.

Linux users are typically more sophisticated, and the attacks on Linux are usually more intricate, targeting not just individual desktop users but also servers and IoT devices. Unlike Windows users, who are often targeted through phishing emails or dubious downloads, Linux users face a variety of attack vectors. Some involve establishing trust before deploying malicious code, while others leverage supply-chain attacks targeting developers or servers.

Zero-Day Vulnerabilities: Linux’s Silent Nemesis

One of the most high-risk and rewarding attack vectors for Linux is through zero-day vulnerabilities. These attacks are sophisticated, requiring extensive knowledge and effort to discover unknown vulnerabilities, allowing a broad range of targets to fall victim, often through no fault of their own.

In one instance, the SprySOCKS malware, attributed to a Chinese hacker group called Earth Lusca, targeted government agencies worldwide. Interestingly, this malware originated from an open-source Windows malware called Trochilus, and was later adapted to Linux systems. To infect systems, it targets a variety of remote code execution vulnerabilities and then drops Cobalt Strike beacons, infects other hosts on the system while stealing information. The malware disguises itself as a Linux kernel worker thread to avoid detection and establish persistence on infected computers.

P2PInfect and Beyond: The Surge of Linux Botnets

The P2PInfect botnet has also seen a surge in activity, with a meteoric rise in traffic observed in the wild, employing more stealthy malware variants and better persistence mechanisms. This botnet, along with others like Reptile Kernel Module Rootkit and Mirai, which has infected low-cost Android TV boxes, highlights the diversity and increasing sophistication of Linux malware.

Supply-Chain Gambits: Unveiling Covert Linux Threats

Supply-chain attacks are also a significant concern, with unofficial repositories installing malware and even seemingly legitimate software distribution websites redirecting users to malicious URLs hosting infected versions of software. For instance, a trojanized version of a product called “Free Download Manager”, containing a Linux backdoor, remained undetected for years, demonstrating the stealth and longevity of such attacks. This malware, once installed, launched executables and established persistence, allowing attackers to deploy a Bash stealer to collect cryptocurrencies, passwords and web histories. In another instance, malicious PyPI packages were detected which use typosquatting to get installed on servers.

Given the increasing prevalence and sophistication of Linux malware, and the variety of attack vectors, from zero-day vulnerabilities to supply-chain attacks, the risk from Linux malware is likely to escalate in the future. It is crucial for users, especially those managing servers and IoT devices, to be vigilant and employ robust security solutions to protect against these evolving threats.

VMRay Malware & Phishing Threat Landscape – Q3/2023

Next Chapter: 
Evolving phishing threats

See VMRay in action.
Secure your organization against evolving Linux threats.

Further resources


Key forces shaping the future of security automation

Watch the full recording from the our webinar featuring Forrester


Explore VMRay’s seamless integrations

Explore all security automation use cases that help you can benefit.


VMRay Professional Services

Learn how VMRay supports deployment, configurations, integrations & more.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator