Cloud reconnaissance and adaptability: The malware was designed to detect whether it’s being executed on various cloud platforms such as AWS, GCP, Azure, Alibaba, and Tencent and then to start leveraging those vendors’ management APIs. The code suggests the developers plan to add detections for Huawei, DigitalOcean, and Vultr in the future.The malware collects extensive amounts of information about the machine and environment it runs in, including whether it’s a Docker container or a Kubernetes pod. It then can execute post-exploitation modules that attempt privilege escalation through container escapes or lateral movement to other containers.”Ultimately, the goal of this implant appears to be stealthy, long-term access, surveillance, and data collection,” the researchers said, adding that developers might be a target for initial delivery.Another interesting aspect is that the malware has a sophisticated algorithm through which it adapts its operations based on the security posture of the environment. It will scan for common Linux endpoint and detection response (EDR) tools and kernel hardening technologies and then calculate a risk score for the environment, which is then used to select a detection evasion strategy.The malware also has multiple rootkit components with deployment strategies for different versions of the Linux kernel and will deploy them based on the environment in which it runs. These rootkit modules hide the malware’s processes, files, and network sockets.C2 traffic is hidden in multiple ways, including as encrypted data in PNGs or JS, HTML, or CSS files, making it hard to detect at the network layer.”VoidLink aims to automate evasion as much as possible, profiling an environment and choosing the most suitable strategy to operate in it,” the researchers said. “Augmented by kernel mode tradecraft and a vast plugin ecosystem, VoidLink enables its operators to move through cloud environments and container ecosystems with adaptive stealth.”While malware for Linux is less common and often less sophisticated than malware programs for Windows, VoidLink stands out as a unique and highly capable framework. Even if it’s not totally clear whether this malware is intended to be a product for cybercriminals or as future commercial penetration testing framework of sorts, it serves as an example of the type of threats organizations should be prepared to defend in their Linux-based cloud environments.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4117038/sophisticated-voidlink-malware-framework-targets-linux-cloud-servers.html
