Persistence through rootkits and PAM backdoors: The researchers also wrote of QLNX’s use of rootkits and Linux Pluggable Authentication Modules (PAM) to establish long term persistence. According to Trend Micro, the malware leverages rootkit functionality to conceal malicious activity, processes, and components from administrative tools and security monitoring systems.The malware was also observed tampering with PAM, a core Linux authentication framework responsible for handling login verification across many services. By modifying PAM components, attackers can potentially capture credentials, maintain access, or bypass authentication controls even after passwords are changed.Trend Micro warned that these techniques significantly raise the difficulty of elimination as it ensures persistence even after wiping off the visible malware artifacts. Modular QLNX hides through spoofed processes: Trend Micro’s analysis describes QLNX as a modular Linux malware framework engineered for stealth. It relies on a layered internal logic that allows operators to dynamically load capabilities, maintain persistence, and execute commands without raising an alarm.One particular feature highlighted by the researchers was the malware’s process spoofing behavior. It hides malicious processes under names that mimic legitimate Linux services and system binaries to blend into routine administrative workflows.”The malware attempts to evade detection by randomly selecting one of the fake kernel thread names,” the researchers said, adding that the names attempt to mimic legitimate kernel threads like “Kernel worker thread”, “CPU migration thread”, and “RCU scheduling thread,” among others. Once a name is selected, “QLNX applies the name consistently across three process metadata locations to ensure consistency across all process inspection tools,” they added.The malware also embraces the ongoing trend of fileless delivery. “Upon execution, QLNX copies itself into an in-memory file, re-executes from that memory copy, and deletes the original binary from disk, leaving no on-disk footprint,” the disclosure added.Trend Micro added a list of IOCs, including file hashes, hardcoded passwords, credential harvest targets, and other compilation and persistence artifacts, to support detection efforts.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4167854/new-malware-turns-linux-systems-into-p2p-attack-networks.html
