New Linux malware family evades virus detection

Cyber ​​security researchers have discovered several Linux binaries that managed to squeeze past most anti-virus some products.

Upon closer inspection, researchers at AT&T Alien Labs identified these binaries as modified versions of the Open source Prism backdoor that has already been used in several campaigns.

“We further investigated the samples and found that several campaigns using these malicious executables managed to stay active and under the radar for over 3.5 years. The earliest samples Alien Labs can attribute to one of the actors date to November 8, 2017, ” rate researchers.

TechRadar needs you!

We take a look at how our readers are using VPNs with streaming sites like Netflix so that we can improve our content and offer better advice. This survey will take no more than 60 seconds of your time, and we would greatly appreciate your sharing your experiences with us.

>> Click here to launch the survey in a new window

Calling Prism a “simple and straightforward” backdoor that is easy to detect, the researchers note that the fact that the modified binaries managed to evade detection for several years may have been the result of the security infrastructure focusing its efforts on larger campaigns, allowing smaller ones to slide through the gaps.

Under the radar

One of the variants analyzed by the researchers, named WaterDrop, is easily identifiable, but still manages to maintain a detection score close to zero in the VirusTotal database. In addition, WaterDrop communicates with its Command and Control (C2) server via HTTP in plain text.

Monitoring of the evolution of malware, the researchers note that many use the same C2 server. While the earlier variants of the malware do not implement any of the common mechanisms used by malware authors to avoid reporting, such as obfuscation and encryption, the newer variants do, with a few other modifications.

Researchers believe these backdoors go unnoticed as they are typically used in smaller campaigns.

“Alien Labs expects adversaries to stay active and conduct operations with this set of tools and infrastructure. We will continue to monitor and report any notable findings, ”the researchers conclude.

Source link

About Jon Moses

Check Also

The new candidate version of X.Org Server appears after a long delay • The registry

More than three years after X.Org Server 1.20, released in May 2018, a release candidate …

Leave a Reply

Your email address will not be published. Required fields are marked *