linux-malware

Rolling 7 day view of updates from this repo

Submissions?

Press/academia

• https://en.wikipedia.org/wiki/Linux_malware (#17) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, DarkSide
• https://rp.os3.nl/ (#30)
• https://wikileaks.org/vault7/ (#31)
• https://www.linuxexperten.com/library/e-resources/linux-malware-ever-growing-list-2023 (#622) - Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, Linux
• https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (#422) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
• https://securelist.com/top-10-unattributed-apt-mysteries/107676/ (#552) - Metador, Plexing Eagle, wltm, Linux, Solaris, Telecomms
• https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf (#20) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, LaZagne, Dalcs, Mirai, Gafgyt, Tsunami, IPStorm, Wellmess, FritzFrog, Linux
• https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations (#32)
• https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/ (#638) - Resource Development, Impact, attack:T1486:Data Encrypted for Impact, #644, uses:CrossCompiled, LockBit, Linux, Internal specialist services
• https://www.zdnet.com/article/hacker-exposes-thousands-of-insecure-desktops-that-anyone-can-remotely-view/ (#33)
• https://www.darkreading.com/attacks-breaches/blackcat-purveyor-shows-ransomware-operators-have-nine-lives (#41) - Impact, BlackCat, #512
• https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html (#37)
• https://reyammer.io/publications/2018_oakland_linuxmalware.pdf (#28)
• https://www.group-ib.com/resources/threat-research/oldgremlin.html (#573) - Impact, OldGremlin, Linux
• https://malpedia.caad.fkie.fraunhofer.de/ (#29)
• https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/ (#40)
• https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf (#21) - WINNTI
• https://ieeexplore.ieee.org/document/8418602 (#25)
• https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/ (#22) - AgeLocker, WellMail, TrickBot, IPStorm, Turla, QNAPCrypt, Carbanak
• https://www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html (#34)
• https://github.com/CiscoCXSecurity/presentations/raw/master/The%20UNIX%20malware%20landscape%20-%20Reviewing%20the%20goods%20at%20MALWAREbazaar%20v5.pdf (#448)
• https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf (#23) - Persistence, various SSH, Bonadan, Kessel, Chandrila, uses:Perl
• https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/ (#19) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact
• https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf (#101) - Defense Evasion, Command and Control, Exfiltration, Impact, attack:T1486:Data Encrypted for Impact, XMRig, Hello Kitty, #546, REvil, DarkSide, BlackMatter, Defray777, ViceSociety, Erebus, GonnaCry, eChoraix, Sysrv, TeamTNT, Mexalz, Omelette, WatchDog, Kinsing, Cobalt Strike, Vermillion Strike, Merlin, #545, #547, RedXOR, #548, ACBackdoor, #549, ELF_Plead, Linux, VMware, Internal enterprise services, Internal specialist services
• http://s3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf (#27)
• https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf (#417) - LootRat, PLEAD, TSCookie, RotaJakiro1, Red Djinn, Red Nue, Scarlet Joke, Ocean Lotus, APT32, Linux
• https://blog.trendmicro.com/trendlabs-security-intelligence/unix-a-game-changer-in-the-ransomware-landscape/ (#35)
• https://en.wikipedia.org/wiki/Mirai_(malware) (#18) - Initial Access, Persistence, Defense Evasion, Credential Access, Discovery, Lateral Movement, Impact, Mirai
• https://gist.github.com/vlamer/2c2ec2ca80a84ab21a32 (#26)
• https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Dumont-H-Porcher-dark_side_of_the_forsshe.pdf (#24) - various SSH, Bonadan, Kessel, Chandrila
• https://spectrum.ieee.org/amp/mirai-botnet-2659993631 (#676) - Initial Access, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1498:Network Denial of Service, attack:T1499:Endpoint Denial of Service, Mirai, Linux, Consumer

In the wild

Breach reports

• https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ (#446) - Initial Access, Linux
• https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677) - Reconnaissance, Initial Access, Persistence, Defense Evasion, Discovery, Collection, Impact, attack:T1593:Search Open Websites/Domains, attack:T1190:Exploit Public-Facing Application, attack:T1078.004:Cloud Accounts, attack:T1526:Cloud Service Discovery, attack:T1619:Cloud Storage Object Discovery, attack:T1069:Permission Groups Discovery, attack:T1069.003:Cloud Groups, attack:T1602:Data from Configuration Repository, attack:T1213.003:Code Repositories, attack:T1098:Account Manipulation, attack:T1098.003:Additional Cloud Roles, attack:T1136:Create Account, attack:T1136.003:Cloud Account, attack:T1036:Masquerading, attack:T1021.004:SSH, attack:T1578:Modify Cloud Compute Infrastructure, attack:T1578.002:Create Cloud Instance, attack:T1525:Implant Internal Image, attack:T1496:Resource Hijacking, GUI-vil, Linux, Hosting, Cloud hosted services
• https://www.freedownloadmanager.org/blog/?p=664 (#765) - Initial Access, Credential Access, #766, Free Download Manager, #816, wltm, Linux
• http://securelist.com/backdoored-free-download-manager-linux-malware/110465/ (#766) - Initial Access, Credential Access, Collection, Command and Control, #765, Free Download Manager, #816, attack:T1071.004:DNS, attack:T1105:Ingress Tool Transfer, attack:T1560.001:Archive via Utility, wltm, Linux
• https://twitter.com/1ZRR4H/status/1560662815400407040 (#507) - Initial Access, Peer2Profit, Linux
• https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm (#42) - GoDaddy
• https://bitbucket.org/workspacespain/i-s00n-translated (#799) - Persistence, uses:Leak, uses:Blocklisted, Reptile, APT41, Linux, AIX, Solaris, HP-UX

Supply chain attacks

• https://www.heise.de/security/meldung/Achtung-Anzeigen-Server-OpenX-enthaelt-eine-Hintertuer-1929769.html (#295) - OpenX
• https://arstechnica.com/information-technology/2012/09/questions-abound-as-malicious-phpmyadmin-backdoor-found-on-sourceforge-site/ (#47) - PHPMyAdmin
• https://lists.archlinux.org/pipermail/aur-general/2018-July/034169.html (#523) - #525, wltm, Linux
• https://lwn.net/Articles/371110/ (#291) - e107 CMS
• https://news.ycombinator.com/item?id=17501379 (#525) - Linux
• https://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155 (#46) - Horde Webmail
• https://portswigger.net/daily-swig/homebrew-bug-allowed-researcher-full-access-to-github-repos (#290) - Homebrew
• https://securelist.com/beware-of-backdoored-linux-mint-isos/73893/ (#543) - Initial Access, Command and Control, Impact, Tsunami, Kaiten, Linux
• https://github.com/SecurityFail/kompromat (#813) - Credential Access, attack:T1552.004:Private Keys, Linux, HP-UX, AIX, Solaris, Internal specialist services
• https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/ (#787) - Initial Access, Discovery, Command and Control, delivery:NPM, attack:T1195.001:Compromise Software Dependencies and Development Tools, attack:T1082:System Information Discovery, Linux
• canonical/snapcraft.io#651 (#296) - Snapcraft
• https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor/ (#45) - UnrealIRCd
• https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain/ (#289) - "Octopus Scanner" (Netbeans) attack
• http://www.h-online.com/open/news/item/MyBB-downloads-were-infected-1366300.html (#292) - MyBB
• https://lirantal.medium.com/a-snyks-post-mortem-of-the-malicious-event-stream-npm-package-backdoor-40be813022bb (#293) - event-stream
• https://blog.sonatype.com/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices (#294) - Impact, delivery:NPM, uses:JavaScript, attack:T1195.001:Compromise Software Dependencies and Development Tools, wltm
• https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html (#49) - VsFTPd
• https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/ (#816) - Initial Access, Persistence, Credential Access, Command and Control, Free Download Manager, #765, #766, attack:T1053.003:Cron, attack:T1555.005:Password Managers, uses:Non-persistentStorage, wltm, Linux
• https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (#495) - Impact, delivery:PyPI, uses:Python, attack:T1620:Reflective Code Loading, attack:T1070.004:File Deletion, attack:T1195.001:Compromise Software Dependencies and Development Tools, wltm, Linux
• https://www.aldeid.com/wiki/Exploits/proftpd-1.3.3c-backdoor (#44) - ProFTPd
• https://www.webmin.com/exploit.html (#43) - Webmin
• https://portswigger.net/daily-swig/backdoor-planted-in-php-git-repository-after-server-hack (#48) - PHP

Malware reports

• https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (#658) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, attack:T1573:Encrypted Channel, attack:T1106:Native API, BPFDoor, /malware/binaries/BPFDoor, Linux
• https://blogs-jpcert-or-jp.translate.goog/ja/2023/07/dangerouspassword_dev.html (#721) - Defense Evasion, Command and Control, uses:Python, uses:JavaScript, attack:T1140:Deobfuscate/Decode Files or Information, PythonHTTPBackdoor, wltm, DangerousPassword, CryptoMimic, SnatchCrypto, Linux
• https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors (#305) - Tycoon
• https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744) - Reconnaissance, Initial Access, Defense Evasion, Lateral Movement, Exfiltration, Impact, uses:Go, attack:T1133:External Remote Services, attack:T1021:Remote Services, attack:T1021.004:SSH, attack:T1078.001:Default Accounts, attack:T1110:Brute Force, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1499:Endpoint Denial of Service, attack:T1498:Network Denial of Service, attack:T1480:Execution Guardrails, Kmsdbot, Linux, IOT
• https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF (#67) - Drovorub
• https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, attack:T1573:Encrypted Channel, attack:T1106:Native API, attack:T1059.004: Unix Shell, attack:T1070.004:File Deletion, attack:T1036.004:Masquerade Task or Service, attack:T1070.006:Timestomp, uses:RedirectionToNull, uses:Non-persistentStorage, attack:T1036.005:Match Legitimate Name or Location, uses:ProcessTreeSpoofing, attack:T1562.004:Disable or Modify System Firewall, BPFDoor, /malware/binaries/BPFDoor, Unix.Backdoor.RedMenshen, Linux, Solaris
• https://hybrid-analysis.com/sample/eb8826bac873442045a6a05f1fa25b410ca18db6942053f6d146467c00d5338d (#508) - Peer2Profit, Linux
• https://imgur.com/a/4YxuSfV (#79) - Cayosin (by malwaremustdie.org)
• https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/ (#325) - RedXOR
• https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (#510) - Execution, Persistence, Defense Evasion, attack:T1036.005:Match Legitimate Name or Location, attack:T1059:Command and Scripting Interpreter, attack:T1569:System Service, attack:T1569.002:Service Execution, attack:T1543:Create or Modify System Process, attack:T1027:Obfuscated Files or Information, uses:Non-persistentStorage, attack:T1057:Process Discovery, attack:T1070.004:File Deletion, attack:T1546.004:Unix Shell, exploit:CVE-2021-3493, Shikitega, /malware/binaries/Shikitega, Linux
• https://twitter.com/IntezerLabs/status/1288487307369222145 (#331) - TrickBot
• https://ultimacybr.co.uk/2023-10-04-Sysrv/ (#767) - Persistence, Defense Evasion, Impact, attack:T1496:Resource Hijacking, uses:Go, Sysrv, Linux
• https://www.stormshield.com/news/orbit-analysis-of-a-linux-dedicated-malware/ (#601) - Persistence, Privilege Escalation, OrBit, /malware/binaries/OrBit, Linux
• https://blog.polyswarm.io/lightning-framework (#506) - Lightning, /malware/binaries/Lightning, Linux
• https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (#692) - Execution, Persistence, Defense Evasion, Credential Access, Command and Control, attack:T1552:Unsecured Credentials, attack:T1212:Exploitation for Credential Access, attack:T1562:Impair Defenses, attack:T1580:Cloud Infrastructure Discovery, attack:T1525:Implant Internal Image, attack:T1102:Web Service, UNC3886, Linux, VMware
• https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/ (#323) - EvilGnome
• https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/ (#307) - QNAPCrypt, eCh0raix
• https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html (#501) - Initial Access, Command and Control, uses:MiMi, uses:ElectronJS, rshell, wltm, Iron Tiger, Emissary Panda, APT27, Bronze Union, LuckyMouse, Linux, Collaboration across enterprise boundaries, Device application sandboxing
• https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/ (#565) - Initial Access, Lateral Movement, Impact, #566, Sysrv, wltm, Linux, Internal enterprise services
• https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (#814) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:Non-persistentStorage, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, attack:T1037.004:RC Scripts, attack:T1098.004: SSH Authorized Keys, exploit:CVE-2023-35829, #710, #711, #724, Linux
• https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (#770) - Initial Access, Persistence, Defense Evasion, Impact, uses:ProcessTreeSpoofing, uses:TamperedPS, uses:Python, attack:T1140:Deobfuscate/Decode Files or Information, attack:T1496:Resource Hijacking, attack:T1547.006:Kernel Modules and Extensions, attack:T1574.006:Dynamic Linker Hijacking, XHide, XMRig, Diamorphine, libprocesshider, Kiss-a-Dog, Linux, Cloud hosted services
• https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html (#490) - uses:Go, Manjusaka, Linux
• https://imp0rtp3.wordpress.com/2021/11/25/sowat/ (#400) - Command and Control, #140, #131, SoWaT, APT31, Zirconium
• https://imgur.com/a/vS7xV (#75) - CarpeDiem (by malwaremustdie.org)
• https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439) - Initial Access, Credential Access, Impact, attack:T1078:Valid Accounts, attack:T1100:Brute Force, attack:T1498:Network Denial of Service, attack:T1053.003:Cron, attack:T1105:Ingress Tool Transfer, attack:T1027:Obfuscated Files or Information, attack:T1014:Rootkit, attack:T1082:System Information Discovery, attack:T1003.007:Proc Filesystem, attack:T1562.001:Disable or Modify Tools, attack:T1037.004:RC Scripts, attack:T1070.004:File Deletion, attack:T1036.005:Match Legitimate Name or Location, uses:Non-persistentStorage, uses:ioctl, uses:PortHiding, #129, uses:ProcessTreeSpoofing, XorDDoS, Rooty, Linux
• https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/ (#56) - LemonDuck
• https://imgur.com/a/2zRCt (#318) - Gafgyt (by malwaremustdie.org)
• https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (#405) - attack:T1205.002:Socket Filters, ebpfkit
• https://twitter.com/ESETresearch/status/1454100591261667329?s=20 (#390) - Hive
• https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/ (#526) - Metador, wltm, Linux
• https://blog.polyswarm.io/darkangels-linux-ransomware (#666) - Impact, attack:T1486:Data Encrypted for Impact, DarkAngels, wltm, Linux
• https://haxrob.net/fastcash-for-linux/ (#815) - Persistence, Privilege Escalation, Defense Evasion, Impact, attack:T1565.002:Transmitted Data Manipulation, attack:T1055:Process Injection, attack:T1055.009:Proc Memory, attack:T1564.001:Hidden Files and Directories, attack:T1574:Hijack Execution Flow, attack:T1567:Financial Theft, attack:T1027.002:Software Packing, uses:Non-persistentStorage, attack:T1027.013:Encrypted/Encoded File, FastCash, #407, #312, #135, wltm, Linux, Banking, Internal specialist services
• https://cert.gov.ua/article/4501891 (#651) - Impact, attack:T1485:Data Destruction, Sandworm, Linux, Industrial
• https://twitter.com/ankit_anubhav/status/1490574137370103808 (#483) - Privilege Escalation, Defense Evasion, Persistence, Command and Control, Log4J, attack:T1548:Abuse Elevation Control Mechanism, #482, Linux
• https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html (#698) - Impact, BlackSuit, Linux
• https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html (#58) - Mirai (by malwaremustdie.org)
• https://vms.drweb.com/virus/?i=21004786 (#433) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
• https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/kessel-dns-exfiltration-2/ (#372) - Kessel
• https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/ (#444) - EnemyBot, Linux
• https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/ (#566) - Impact, XMRig, Sysrv, wltm, Linux
• https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-docker-control-api-and-community-image-abused-to-deliver-cryptocurrency-mining-malware/ (#344) - NGrok
• https://twitter.com/malwaremustd1e/status/1264417940742389762 (#316) - Gafgyt (by malwaremustdie.org)
• https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (#99) - Persistence, Command and Control, attack:T1205:Traffic Signaling, attack:T1205.002:Socket Filters, attack:T1573.002:Symmetric Cryptography, attack:T1573.002:Asymmetric Cryptography, attack:T1082:System Information Discovery, attack:T1547.006:Kernel Modules and Extensions, Bvp47, dewdrop, tipoff, StoicSurgeon, Incision, Equation Group, Linux, Solaris, FreeBSD
• https://csirt.egi.eu/attacks-on-multiple-hpc-sites/ (#376) - HPC
• https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/ (#360) - Rhombus (by malwaremustdie.org)
• https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (#716) - Defense Evasion, Credential Access, Discovery, Command and Control, attack:T1110.003:Password Spraying, attack:T1057:Process Discovery, attack:T1082:System Information Discovery, attack:T1480.001:Environmental Keying, attack:T1573:Encrypted Channel, AVrecon, #717, Linux, IOT
• https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (#715) - Reconnaissance, Initial Access, Execution, Persistence, Defense Evasion, Credential Access, Discovery, Command and Control, Impact, attack:T1525:Implant Internal Image, attack:T1595:Active Scanning, attack:T1496:Resource Hijacking, attack:T1613:Container and Resource Discovery, attack:T1190:Exploit Public-Facing Application, attack:T1059:Command and Scripting Interpreter, attack:T1610:Deploy Container, attack:T1222:File and Directory Permissions Modification, attack:T1036:Masquerading, attack:T1132:Data Encoding, attack:T1552.005:Cloud Instance Metadata API, attack:T1082:System Information Discovery, attack:T1071.001:Web Protocols, attack:T1090.003:Multi-hop Proxy, Tsunami, TeamTNT, Linux
• https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html (#366) - AirDropBot (by malwaremustdie.org)
• https://securelist.com/the-penquin-turla-2/67962/ (#593) - Persistence, Defense Evasion, Command and Control, Penquin, Turla, Linux
• https://www.signalblur.io/through-the-looking-glass (#756) - Impact, attack:T1486:Data Encrypted for Impact, wltm, RedAlert, Conti, BlackBasta, Sodinokibi, REvil, BlackMatter, DarkSide, Defray777, RansomEXX, HelloKitty, ViceSociety, Royal, BlackSuit, RTM Locker, Hive, GonnaCry, Erebus, eChOraix, QNAPCrypt, Cylance, Polaris, Linux, VMware, Internal enterprise services, Internal specialist services
• https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/ (#636) - Initial Access, Linux
• https://github.com/akamai/akamai-security-research/tree/main/malware/panchan (#477) - Pan-chan, /malware/binaries/pan-chan, Linux
• https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors (#729) - Persistence, Command and Control, SEASPY, #730, SUBMARINE, #731, Linux
• https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/ (#381) - FontOnLake
• https://netadr.github.io/blog/a-quick-glimpse-sbz/ (#596) - Persistence, Defense Evasion, attack:T1027:Obfuscated Files or Information, SBZ, wltm, Equation Group, Solaris
• https://twitter.com/ESETresearch/status/1410864752948043778 (#104) - Specter, SideWalk, StageClient
• https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ (#371) - Ebury
• https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf (#338) - Persistence, Defense Evasion, Command and Control, Penguin, Penquin_x64, Turla, Linux
• https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/ (#299) - IPStorm, /malware/binaries/Unix.Trojan.Ipstorm
• https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github (#97) - Botenago
• https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (#678) - Reconnaissance, Initial Access, Persistence, Privilege Escalation, Defense Evasion, attack:T1594:Search Victim-Owned Websites, attack:T1589:Gather Victim Identity Information, attack:T1589.001:Credentials, attack:T1133:External Remote Services, attack:T1078:Valid Accounts, Legion, wltm, Linux, Cloud hosted services
• https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version (#309) - REvil
• https://www.bitdefender.com/files/News/CaseStudies/study/319/Bitdefender-PR-Whitepaper-DarkNexus-creat4349-en-EN-interactive.pdf (#518) - DarkNexus, Linux
• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ (#750) - Initial Access, Persistence, Defense Evasion, Command and Control, Impact, attack:T1547.006:Kernel Modules and Extensions, SkidMap, Linux
• https://www.mandiant.com/resources/unc2891-overview (#112) - Lateral Movement, Credential Access, Execution, Defense Evasion, Persistence, attack:T1021.004:SSH, attack:T1003.008:/etc/passwd and /etc/shadow, attack:T1552.003:Bash History, attack:T1552.004:Private Keys, attack:T1556.003:Pluggable Authentication Modules, attack:T1053.001:At (Linux), attack:T1059.004:Unix Shell, attack:T1014:Rootkit, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1548.001:Setuid and Setgid, attack:T1543.002:Systemd Service, attack:T1547.006:Kernel Modules and Extensions, #134, TINYSHELL, SLAPSTICK, CAKETAP, WIPERIGHT, MIG Logcleaner, #154, BINBASH, UNC2891, UNC1945, LightBasin, Linux, Solaris, Banking
• https://int0x33.medium.com/day-27-tiny-shell-48df6abb0d5d (#616) - Command and Control, TSH, TINYSHELL, #481
• https://www.gosecure.net/blog/2018/02/14/chaos-a-stolen-backdoor-rising/ (#395) - uses:Go, Chaos (sebd), /malware/binaries/Chaos
• https://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/ (#348) - Rakos
• https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (#90) - Impact, uses:k8s, uses:Non-persistentStorage, attack:T1190:Exploit Public-Facing Application, attack:T1505.003:Web Shell, attack:T1105:Ingress Tool Transfer, attack:T1053.003:Cron, attack:T1037.004:RC Scripts, Muhstik, wltm
• https://www.intezer.com/blog/malware-analysis/linux-rekoobe-operating-with-new-undetected-malware-samples/ (#479) - Rekoobe, APT31, Linux
• https://old.reddit.com/r/LinuxMalware/comments/f26amt/new_systemten_botnet_miner_threat_now_wother/ (#357) - SystemTen (by malwaremustdie.org)
• https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (#623) - Initial Access, Defense Evasion, Command and Control, Impact, attack:T1105:Ingress Tool Transfer, attack:T1071.001:Web Protocols, attack:T1071.002:File Transfer Protocol, attack:T1499:Endpoint Denial of Service, attack:T1480:Execution Guardrails, HinataBot, Linux, Consumer
• https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/ (#65) - Qemu, #134, LightBasin, UNC1945
• https://sansec.io/research/cronrat (#399) - Defense Evasion, Command and Control, uses:Non-persistentStorage, attack:T1053.003:Cron, attack:T1027:Obfuscated Files or Information, attack:T1001.003:Protocol Impersonation, attack:T1036.005:Match Legitimate Name or Location, vertical:Retail, CronRAT, wltm, Linux
• https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (#434) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
• https://raw.githubusercontent.com/bg6cq/ITTS/master/security/mine/README.md (#352) - ITTS
• http://it.rising.com.cn/fanglesuo/19851.html (#96) - SFile
• https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (#723) - Defense Evasion, Command and Control, Impact, uses:Python, attack:T1496:Resource Hijacking, attack:T1620:Reflective Code Loading, attack:T1102:Web Service, attack:T1190:Exploit Public-Facing Application, attack:T1105:Ingress Tool Transfer, attack:T1140:Deobfuscate/Decode Files or Information, attack:T1027.002:Software Packing, uses:Non-persistentStorage, PyLoose, XMRig, Linux
• https://asec.ahnlab.com/en/54647/ (#707) - Defense Evasion, Credential Access, Command and Control, Impact, attack:T1110:Brute Force, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1496:Resource Hijacking, attack:T1498:Network Denial of Service, uses:IRC, XMRig, ShellBot, MIG Logcleaner, #154, Tsunami, Kaiten, 0x333shadow Log Cleaner, #706, ChinaZ, Linux
• https://imgur.com/a/a6RaZMP (#87) - Honda Car's Panel's Rootkit from China #Android (by malwaremustdie.org)
• https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html (#336) - PLEAD
• https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf (#493) - Persistence, Command and Control, uses:Go, IPStorm, /malware/binaries/Unix.Trojan.Ipstorm, Linux
• https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor (#547) - Command and Control, Exfiltration, uses:LD_PRELOAD, wltm, Linux
• https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (#693) - Persistence, Defense Evasion, Discovery, Command and Control, attack:T1037.004:RC Scripts, attack:T1543.002:Systemd Service , attack:T1036:Masquerading: Match Legitimate Name or Location , attack:T1070.004:File Deletion , attack:T1222:File and Directory Permissions Modification , attack:T1564.001:Hidden Files and Directories , attack:T1082:System Information Discovery , attack:T1057:Process Discovery , attack:T1071.004:DNS, Sotdas, Linux
• https://blog.talosintelligence.com/lazarus-collectionrat/ (#752) - Command and Control, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, DeimosC2, #751, HiddenCobra, Lazarus, APT38, Linux
• https://securelist.com/a-bad-luck-blackcat/106254/?_sp=3b4159db-9e20-4bfa-a47f-f8671b594d75.1649770307513 (#118) - Impact, BlackCat, #512
• https://imgur.com/a/53f29O9 (#61) - Mirai (by malwaremustdie.org)
• https://gist.github.com/unixfreaxjp/7b8bd6be614f7a051fc9a9da760d3138 (#362) - Initial Access, Command and Control, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
• https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt (#320) - Gafgyt
• https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces (#115) - Impact, KinSing
• https://twitter.com/malwrhunterteam/status/1422972905541996546 (#374) - Impact, attack:T1486:Data Encrypted for Impact, Encryptor, Linux, VMware
• https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/ (#105) - Specter, SideWalk, StageClient
• https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (#321) - Execution, Persistence, Privilege Escalation, Command and Control, Exfiltration, Impact, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1573:Encrypted Channel, attack:T1071.001:Web Protocols, attack:T1053.003:Cron, attack:T1486:Data Encrypted for Impact, DarkSide, UNC2628, UNC2659, UNC2465, Linux
• https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis (#393) - Conti
• https://www.cisa.gov/news-events/analysis-reports/ar23-209a (#731) - Persistence, #729, SUBMARINE, wltm, Linux
• https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf (#100) - Cyclops Blink
• https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (#432) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
• https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ (#655) - Initial Access, Persistence, Privilege Escalation, attack:T1566.001:Spearphishing Attachment, attack:T1546.004:Unix Shell Configuration Modification, uses:RedirectionToNull, uses:Go, wltm, OdicLoader, SimplexTea, Lazarus, Linux
• https://cujo.com/the-sysrv-botnet-and-how-it-evolved/ (#640) - Initial Access, Command and Control, Impact, Sysrv, Linux
• https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64) - Defense Evasion, Discovery, Lateral Movement, Collection, Command and Control, Impact, attack:T1602.001:SNMP (MIB Dump), attack:T1070.002:Clear Linux or Mac System Logs, attack:T1046:Network Service Discovery, attack:T1018:Remote System Discovery, attack:T1110.002:Password Cracking, attack:T1110.003:Password Spraying, attack:T1555:Credentials from Password Stores, attack:T1040:Packet Capture, attack:T1071.001:Web Protocols, attack:T1071.002:File Transfer Protocols, attack:T1071.004:DNS, attack:T1021.002:SMB/Windows Admin Shares, attack:T1021.004:SSH, attack:T1021.005:VNC, attack:T1590:Gather Victim Network Information, attack:T1590.002:DNS, attack:T1027.002:Software Packing, attack:T1001:Data Obfuscation, attack:T1070.004:File Deletion, #134, STEELCORGI, netcat, unixcat, netcat-ssl, telnet, traceroute, traceroute-tcp, traceroute-tcpfin, traceroute-udp, traceroute-icmp, traceroute-all, tftpd, HEAD, GET, sniff, nfsshell, ssh, ricochet, axfr, whois, scanip, sctpscan, sdporn, rmiexec, arpmap, whois, who, ahost, resolv, adig, axfr, asrv, aspf, periscope, scanip.sh, aliveips.sh, brutus.pl, enum4linux.pl, mikro, ss, sshu, onesixtyone, snmpgrab, snmpcheck, ciscopush, mikrotik-client, bleach, clean, ssleak, decrypt-vpn, pogo, pogo2, sid-force, sshock, decrypt-cisco, decrypt-vnc, decrypt-cvs, LightBasin, UNC1945, Linux
• https://blog.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (#496) - Impact, attack:T1486:Data Encrypted for Impact, region:South Korea, vertical:Pharmaceutical, Gwisin, wltm, Linux, VMware, Industrial, Internal specialist services
• https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ (#714) - Initial Access, Defense Evasion, attack:T1190:Exploit Public-Facing Application, attack:T1480.001:Environmental Keying, Mirai, Linux, IOT
• https://www.mandiant.com/resources/blog/messagetap-who-is-reading-your-text-messages (#542) - Defense Evasion, Discovery, Collection, Exfiltration, vertical:Telecomms, attack:T1040:Network Sniffing, uses:Non-persistentStorage, attack:T1070.004:File Deletion, MESSAGETAP, /malware/binaries/MESSAGETAP, APT41, Linux, Telecomms, Internal specialist services
• https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/ (#410) - Initial Access, Persistence, Defense Evasion, Lateral Movement, Impact, LemonDuck, Linux, Cloud hosted services, Device application sandboxing
• https://sysdig.com/blog/ssh-snake/ (#801) - Defense Evasion, Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, attack:T1027:Obfuscated Files or Information, #791, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services
• https://sansec.io/research/nginrat (#94) - Defense Evasion, uses:Non-persistentStorage, attack:T1036.005:Match Legitimate Name or Location, attack:T1574.006:Dynamic Linker Hijacking, attack:T1027:Obfuscated Files or Information, uses:ProcessTreeSpoofing, NginRAT, wltm
• https://www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html (#383)
• https://unit42.paloaltonetworks.com/alloy-taurus/ (#646) - Command and Control, attack:T1071:Application Layer Protocol, attack:T1071.001:Web Protocols, attack:T1132:Data Encoding, attack:T1132.001:Standard Encoding, attack:T1573:Encrypted Channel, attack:T1573.001:Symmetric Cryptography, Sword2033, PingBull, wltm, Alloy Taurus, GALLIUM, Soft Cell, Linux
• https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf (#370) - Kobalos, #bsd, #solaris, #aix
• https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/ (#298) - RandomEXX
• https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery (#488) - Initial Access, Lateral Movement, Impact, RapperBot, /malware/binaries/RapperBot, Linux
• https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/ (#114) - HabitsRAT
• https://www.fortinet.com/blog/threat-research/deep-dive-into-a-linux-rootkit-malware (#821) - Persistence, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, attack:T1205.002:Socket Filters, wltm, Linux, Internal enterprise services
• https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/ (#329) - Zirconium, APT31
• https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/ (#459) - Persistence, Defense Evasion, Linux
• https://twitter.com/malwaremustd1e/status/1235595880041873408 (#358) - Hajimi (by malwaremustdie.org)
• https://twitter.com/CraigHRowland/status/1422267857988063232 (#354) - ITTS
• https://id-ransomware.blogspot.com/2021/11/polaris-ransomware.html (#398) - Polaris
• https://twitter.com/malwaremustd1e/status/1251758225919115264 (#361) - Persistence, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
• https://blogs.jpcert.or.jp/en/2023/05/gobrat.html (#682) - Command and Control, uses:Go, GobRAT, Linux, Telecomms
• https://twitter.com/IntezerLabs/status/1272915284148531200 (#341) - Lazarus
• https://twitter.com/ESETresearch/status/1382054011264700416 (#335) - TSCookie, #freebsd
• https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 (#612) - Defense Evasion, Persistence, attack:T1547.006:Kernel Modules and Extensions
• https://asec.ahnlab.com/en/55785/ (#733) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1547.006:Kernel Modules and Extensions, attack:T1205.001:Port Knocking, Reptile, TINYSHELL, Rekoobe, Linux
• https://mp-weixin-qq-com.translate.goog/s/pd6fUs5TLdBtwUHauclDOQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp (#588) - Persistence, Defense Evasion, Command and Control, attack:T1027:Obfuscated Files or Information, caja, wltm, Linux
• https://asec.ahnlab.com/en/51908/ (#650) - Impact, Defense Evasion, uses:ProcessTreeSpoofingBindMountProc, #550, KONO DIO DA, XMRig, Linux
• https://lab52.io/blog/looking-for-penquins-in-the-wild/ (#594) - Persistence, Defense Evasion, Command and Control, Penquin, Turla, Linux
• https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (#724) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, #710, #711, #814, Linux
• https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites (#598) - Initial Access, Command and Control, uses:Go, GoTrim, Linux, Enterprise with public/Customer-facing services
• https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar (#375) - PRISM
• https://asec.ahnlab.com/en/50316/ (#621) - Defense Evasion, Discovery, Command and Control, Impact, attack:T1036.005:Match Legitimate Name or Location, attack:T1499:Endpoint Denial of Service, attack:T1082:System Information Discovery, attack:T1095:Non-Application Layer Protocol, uses:ProcessTreeSpoofing, uses:Non-persistentStorage, uses:RedirectionToNull, DDoSClient, ChinaZ, Linux
• https://www.akamai.com/blog/security/new-p2p-botnet-panchan (#476) - Pan-chan, #477, Linux
• https://old.reddit.com/r/LinuxMalware/comments/gdte0m/linuxkaiji/ (#340) - Kaiji (by malwaremustdie.org)
• https://cujo.com/iot-malware-journals-prometei-linux/ (#300) - Promotei
• https://vblocalhost.com/conference/presentations/shades-of-red-redxor-linux-backdoor-and-its-chinese-origins/ (#408) - Linux
• https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (#700) - Persistence, Defense Evasion, Credential Access, Discovery, Impact, attack:T1110:Brute Force, uses:SHC, attack:T1057:Process Discovery, attack::T1003.008:/etc/passwd and /etc/shadow, attack:T1098.004:SSH Authorized Keys, attack:T1556:Modify Authentication Process, Reptile, #171, Diamorphine, #217, ZiggyStarTux, #701, Linux, IOT, Consumer
• https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (#686) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, Linux
• https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials (#50) - TeamTNT
• https://www.trendmicro.com/en_gb/research/19/f/cryptocurrency-mining-botnet-arrives-through-adb-and-spreads-through-ssh.html (#55) - CoinMiner
• https://www.kroll.com/en/insights/publications/cyber/inside-the-systembc-malware-server (#784) - Command and Control, Exfiltration, uses:PHP, attack:T1090:Proxy, attack:T1071.001:Web Protocols, SystemBC, Linux
• https://imgur.com/a/LpTN7 (#85) - Elknot (by malwaremustdie.org)
• https://threatfabric.com/blogs/vultur-v-for-vnc.html (#379) - Vultur, Brunhilda, #Android
• https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ (#314) - Gafgyt
• https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (#758) - Persistence, Defense Evasion, Impact, attack:T1486:Data Encrypted for Impact, Gwisin, Spirit, Linux, VMware
• https://cybersec84.wordpress.com/2023/08/15/monti-ransomware-operators-resurface-with-new-linux-variant-improved-evasion-tactics/ (#753) - Defense Evasion, Impact, attack:T1486:Data Encrypted for Impact, attack:T1480:Execution Guardrails, wltm, Monti, Linux, VMware
• https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html (#332) - NOTROBIN
• https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/ (#306) - QNAPCrypt, eCh0raix
• https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (#8) - Credential Access, Defense Evasion, Discovery, Lateral Movement, Collection, Command and Control, Impact, vertical:Telecomms, attack:T1573.001:Symmetric Cryptography, attack:T1590:Gather Victim Network Information, attack:T1562.004:Disable or Modify System Firewall, attack:T1048.001:Exfiltration Over Unencrypted Non-C2 Protocol, attack:T1021.004:SSH, attack:T1037.004:RC Scripts, attack:T1090.001:Internal Proxy, attack:T1090.002:External Proxy, attack:T1110.003:Password Spraying, #134, SLAPSTICK, STEELCORGI, PingPong, TINYSHELL, CordScan, SIGTRANslator, Fast Reverse Proxy, Microsocks Proxy, ProxyChains, LightBasin, UNC1945, Solaris, Linux, Telecomms, Internal specialist services, Enclave deployment
• https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability (#337) - Impact, Persistence, Impact, KinSing
• https://imgur.com/a/Ak9zICq (#367) - Neko (by malwaremustdie.org)
• https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ (#373) - Initial Access, Persistence, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1505.003:Web Shell, Prophet Spider, Linux
• https://twitter.com/IntezerLabs/status/1326880812344676352 (#330) - AgeLocker
• https://www.trendmicro.com/en_gb/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html (#304) - DarkRadation
• https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (#516) - Resource Development, Discovery, Command and Control, attack:T1587.001:Malware, attack:T1016:System Network Configuration Discovery, attack:T1071.001:Web Protocols, attack:T1573.001:Symmetric Cryptography, SideWalk, wltm, SparklingGoblin, Linux
• https://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/ (#513) - Collection, Impact, Linux
• https://permiso.io/blog/s/legion-mass-spam-attacks-in-aws/ (#681) - Persistence, Impact, Legion, wltm, Linux, Cloud hosted services
• https://twitter.com/malwrhunterteam/status/1415403132230803460 (#310) - HelloKitty
• https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan (#732) - Persistence, Defense Evasion, Command and Control, Linux, Hosting
• https://twitter.com/IntezerLabs/status/1338480158249013250 (#301) - Promotei
• https://tolisec.com/ssh-backdoor-botnet-with-research-infection-technique/ (#92)
• http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf (#349) - Moose
• https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ (#339) - Kaiji
• https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (#725) - Defense Evasion, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, BPFDoor, /malware/binaries/BPFDoor, Unix.Backdoor.RedMenshen, DecisiveArchitect, Linux, Solaris
• https://imgur.com/a/DWKK5 (#84) - Persistence, Command and Control, Tsunami, Kaiten (by malwaremustdie.org), Linux
• https://darrenmartyn.ie/2021/11/29/analysis-of-the-lib__mdma-so-1-userland-rootkit/ (#401) - Persistence, Defense Evasion, #530, lib__mdma
• https://honeynet.onofri.org/scans/scan13/som/som5.txt (#389) - Luckscan, UNC1945
• https://www.virusbulletin.com/virusbulletin/2014/07/mayhem-hidden-threat-nix-web-servers (#382) - Mayhem
• https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/ (#809) - Initial Access, Execution, Persistence, Privilege Escalation, Credential Access, Discovery, Command and Control, AIX, Internal enterprise services
• https://imgur.com/a/57uOiTu (#80) - DDoSMan (by malwaremustdie.org)
• https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/ (#690) - Command and Control, attack:T1572:Protocol Tunneling, ChamelDoh, wltm, ChamelGang, Linux
• https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ (#297) - FreakOut
• https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html (#789) - Defense Evasion, Discovery, Command and Control, attack:T1090:Proxy, uses:ProcessTreeSpoofing, attack:T1027:Obfuscated Files or Information, attack:T1082:System Information Discovery, SprySOCKS, Mandibule, #170, Earth Lusca, Linux
• https://twitter.com/sethkinghi/status/1397814848549900288 (#717) - Defense Evasion, attack:T1480.001:Environmental Keying, AVrecon, Linux, IOT
• https://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-service/ (#343) - NGrok
• https://twitter.com/billyleonard/status/1458531997576572929 (#480) - Rekoobe, TSH, TINYSHELL, #481, APT31, Linux
• https://www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spam-servers/ (#68) - Mumblehard
• https://old.reddit.com/r/LinuxMalware/comments/a66dsz/ddostf_still_lurking_arm_boxes/ (#72) - DDoSTF (by malwaremustdie.org)
• https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/ (#503)
• https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ (#470) - Lightning, /malware/binaries/Lightning, Linux
• https://unit42.paloaltonetworks.com/pgminer-postgresql-cryptocurrency-mining-botnet/ (#351) - PGMiner
• https://twitter.com/bkMSFT/status/1417823714922610689 (#328) - #329, Zirconium, APT31
• https://zhuanlan.zhihu.com/p/348960748 (#403) - Impact, Command and Control, Lateral Movement, Persistence, Cloud Shovel
• https://vms.drweb.com/virus/?i=15389228 (#326) - ?
• https://twitter.com/IntezerLabs/status/1291355808811409408 (#346) - Carbanak
• https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc (#786) - Exfiltration, Impact, location:Israel, attack:T1561.001:Disk Content Wipe, attack:T1485:Data Destruction, attack:T1048.003:Exfiltration Over Unencrypted Non-C2 Protocol, Cyber Toufan, Linux
• https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/ (#308) - KillDisk
• https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html (#442) - Impact, attack:T1486:Data Encrypted for Impact, Cheerscrypt, #544, Linux, VMware, Internal enterprise services, Internal specialist services
• https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/ (#327) - TeamTNT, Mimipenguin