The blog post “Linux Defense Evasion Techniques Detected by AhnLab EDR (1)” [1] covered methods where the threat actors and malware strains attacked Linux servers before incapacitating security services such as firewalls and security modules and then concealing the installed malware.
This post will cover additional defense evasion techniques against Linux systems not covered in the past post. For example, methods of concealing malware include having the running malware delete itself to not be noticed by an administrator, or deleting many log files containing the process from initial infiltration to malware installation. These actions can be taken by the threat actor, but there are malware strains that also use automated scripts. Because the goal of the threat actor is to execute the malware, they may grant all permissions instead of only the necessary ones before installing it.
AhnLab Endpoint Detection and Response (EDR) is a next-generation threat detection and response solution, providing powerful threat monitoring, analysis, and response capabilities for endpoint areas based on South Korea’s self-behavior-based engine. AhnLab EDR continuously collects information related to suspicious behaviors based on each type, allowing users to precisely perceive threats from a detection, analysis, and response perspective. Users then can conduct comprehensive analysis based on the data to identify causes, respond with appropriate measures, and establish processes to prevent threat recurrence.
This post will categorize the defense evasion techniques employed by the threat actors and malware against Linux systems and summarize the process for AhnLab EDR to detect such attacks.
1. Auto-delete
Unlike Windows, it is possible in Linux to delete the file of a running process. As such, many malware strains that target Linux systems tend to delete themselves after execution and run in the memory area to evade file detection. For example, Nood RAT (known as a Linux variant of Gh0st RAT) [2] and the BlueShell malware used in APT attacks against Korea and Thailand [3] [4] all delete themselves and run only in the memory. Of course, various other malware strains including Mirai and RotaJakiro [5] use the self-deletion technique as well.
AhnLab EDR detects the behavior of a running malware strain deleting itself as a threat and helps administrators become aware of this process in advance.
Figure 1. The EDR detection of RotaJakiro’s auto-deletion2. Deleting Logs
In Linux, logs on major events that occurred in the system are stored in the file “/var/log/syslog”. Syslog contains the kernel, demo, and scheduling information. Accordingly, there are cases where the threat actor or malware deletes log files such as Syslog to conceal the commands or behaviors they executed.
For example, Kinsing, a CoinMiner installed via poorly managed dockers, Redis servers, or vulnerability attacks, first uses a script to delete Syslog after initial infiltration. [6]
Figure 2. Kinsing deleting the Syslog fileThe “.bash_history” file which contains the commands that the user entered in shells such as Bash may also be deleted by the threat actor. For example, the script used by the Team TNT threat actor contains a command for deleting the “.bash_history” file to remove the logs containing the commands run by the malware. For reference, Team TNT is a threat actor that mines cryptocurrency by uploading a malicious docker container image installed with malware to a shared storage.
Figure 3. Team TNT’s malware that deletes the Bash history fileAhnLab EDR detects the malicious behaviors of deleting Syslog or the Bash history file as threats and helps administrators become aware of such processes in advance.
Figure 4. AhnLab EDR detecting the deletion of Syslog file
Figure 5. AhnLab EDR detecting the deletion of Bash history file3. Suspicious Privilege Granting
RedXOR is a backdoor that became known in 2021 and is known to be used by a threat actor suspected of being sponsored by China. [7] RedXOR collects basic information from the system and can receive commands from the C&C server to perform functions such as command execution, file and process related tasks, and proxies.
Thus while it can only perform actual malicious behaviors after receiving commands from the C&C server, it is notable that it grants suspicious privileges during the installation process. It first copies itself into the “/root/.po1kitd.thumb/.po1kitd-update-k” path and registers itself to the Init service so that it can run after a reboot. It grants the 777 privilege to the “/etc/init.d/po1kitd-update” script which is in charge of the aforementioned process. AhnLab EDR detects such granting of suspicious privileges as a threat and helps administrators become aware of this process in advance.
Figure 6. AhnLab EDR detecting RedXOR granting suspicious permissions4. Conclusion
Threat actors use defense evasion techniques such as deleting commands or logs during the attack process and removing the installed malware and have it run only in the memory area. Thus, administrators may find it difficult to track suspicious files or find traces of threat actors through logs.
AhnLab EDR detects suspicious behaviors used in the defense evasion stage as threats and key behaviors, allowing administrators to become aware of these in advance. Based on the detection, administrators can identify the cause and respond appropriately. Even after being exposed to an attack, they can also review the data from the affected system needed to investigate the infiltration incident as evidentiary data on the threat actor.
Behavior Detection
– DefenseEvasion/MDP.Remove.M11361
– DefenseEvasion/EDR.Delete.M11397
– SystemManipulation/EDR.Delete.M11458
– Execution/EDR.Chmod.M11395
AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.
The post Linux Defense Evasion Techniques Detected by AhnLab EDR (2) appeared first on ASEC BLOG.
Article Link: https://asec.ahnlab.com/en/67636/