• A slew of new Linux malware families, all based on malicious versions of OpenSSH clients, were discovered by ESET.
  • Out of the 21 families analyzed, 12 were undocumented.
  • The new malware families possess sophisticated features like keylogging and backdoor capabilities.

Historically, Linux has proved to be a more secure operating system when compared to the more widely used Windows. This is due to Linux’s more secure implementation of user privileges, a more tech-savvy userbase, and other such factors. However, this does not make it completely free of vulnerabilities.

The number of threats targeting the Linux ecosystem is still quite insignificant when compared to Windows, despite the emergence of some malware families aimed at Linux-based systems in the last decade.

Not really “new” threats

Due to the existing disparity in the threat landscape, the Linux ecosystem has received limited attention from security researchers. This gives rise to cases where certain malware families get discovered after several years of having been released and active in the wild.

This discovery by ESET stems from their ongoing hunt for OpenSSH backdoors in the wild. The researchers began their hunt over three years ago. They collected samples of malicious OpenSSH binaries which were used to improve detection. However, the samples remained unanalyzed until this year.

To their surprise, the researchers discovered many new backdoor families that had remained undocumented prior to their research. “The Dark Side of the ForSSHe - A landscape of OpenSSH backdoors” - the paper published by ESET researchers contains a list of Indicators of Compromise (IOCs) which would help identify compromised servers.

Key findings

The research conducted by ESET benefited from insights gained during their Windigo botnet investigation. The research paper provides some noteworthy points from their research:

  • While there are multiple code bases for the various OpenSSH backdoors, most of them share similar basic features such as hardcoded credentials to activate a backdoor mode, and credential stealing.
  • The researchers grouped all the malware samples collected based on their code base and highlighted 21 different OpenSSH malware families. Out of the 21 families analyzed, 12 had never been documented prior to their research.
  • An SSH backdoor used by DarkLeech operators was discovered to be the same malware used by the Carbanak gang a few years later.
  • There is a wide spectrum of complexity in backdoor implementation, starting from off-the-shelf malware to obfuscated samples and network protocols.
  • Exfiltration techniques for stolen SSH credentials were creative and included SMTP.
  • OpenSSH backdoors were used both by crimeware and APT groups. Both used malware with similar sets of features and varying levels of complexity.

This research indicates that security researchers should pay more attention to the Linux operating system for new threats. Much of the world’s online infrastructure is powered by servers running variations of the Linux operating system, which could face serious danger if Linux malware threats are not carefully analyzed and tackled in a timely manner.

Cyware Publisher