Linux malware is real and Advanced Persistent Threat (APT) groups have been infiltrating critical servers with these tools for at least eight years, according to a new report from BlackBerry.

In “Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android,” security researchers found that these groups have attacked companies around the world and across all industries with goals ranging from simple cybercrime to full-blown economic espionage.

The RATs report describes how five APT groups are working with the Chinese government and the remote access trojans (RATs) the cybercriminals are using to get and maintain access to Linux servers. According to the report, the groups appeared to be using WINNTI-style tooling to take aim at Linux servers and remain relatively undetected for almost a decade.

These groups are targeting Red Hat Enterprise, CentOS, and Ubuntu Linux environments for espionage and intellectual property theft. The APT groups examined include the original WINNTI GROUP, PASSCV, BRONZE UNION, CASPER (LEAD), and a newly identified group BlackBerry researchers are tracking as WLNXSPLINTER.

The BlackBerry researchers think all five groups are working together, given the distinct similarities in their preferred tools, tactics, and procedures.

SEE: Cybersecurity: Let’s get tactical (free PDF)

Eric Cornelius, chief product officer at BlackBerry, said that he hopes the report will motivate CISOs and security teams to reconsider potential threats that have been dismissed in the past.

“Most enterprises today are not focused on Linux as deeply as they should be,” he said. “Linux malware is a thing and it’s been going on a long time.”

The RATs report includes a wealth of indicators that network admins and security analysts can use to see what is happening on Linux servers.

Linux servers: Always on and poorly defended

The RAT report illustrates the risk of these infections by listing all the organizations that use Linux: The stock exchanges in New York, London and Tokyo; nearly all the big tech and e-commerce giants are dependent on it, including Google, Yahoo, and Amazon, most U.S. government agencies and the Department of Defense; virtually all of the top one-million websites; 75% of all web servers; 98% of the world’s most advanced supercomputers; and more than 75% of all cloud servers.

According to the report, the newly discovered Linux malware toolset included two kernel-level rootkits that rendered executables are extremely difficult to detect, making it highly likely that many organizations have been infected for some time. The report provides analysis of the attacks, the toolset, the rootkits, the other malware, and the infrastructure involved.

Cornelius said these servers are a good place for bad actors to get a foothold because they have high availability and high redundancy.

“Also the security industry doesn’t care much about Linux because they are selling wares on a per endpoint basis and Linux has only 2% market share,” he said. “The machines running Linux are extraordinarily important devices but they are in the minority.”

Cornelius said it’s particularly hard to deal with these infections at the rootkit level for three reasons. First, this component of a company’s infrastructure draws little scrutiny and very rarely has a defense. Second, security analysts spend much more time looking for activity in the user space. Finally, when a security analyst has to address a problem in a Linux server, it’s likely that someone else built the service and simply uninstalling something is not an option.

“You suspect you might have something silly going on but, if you do something that bricks that machine and you’re the person who cost the company hundreds of thousands of dollars,” he said.

The report authors also found that these backdoors communicated both to internal as well as
external IP addresses, indicating that the groups attacked servers that were both
deliberately segmented to keep them from connecting to the internet and connected to web servers that reached outside the target organization.

“Security teams don’t expect attackers will take the time to tunnel traffic from one machine to another and then get out,” he said.

According to the report, the infection of internal-only servers shows that the attackers were either successful in exploiting “crown jewel-type” data normally kept in such vaults, or that they had established a backup point of access in case other avenues were found and blocked.

Cornelius said that it’s easy to forget that it takes time to establish covert access in a corporate network.

“These things are about 10 months in length from gaining a foothold to exploring to figuring out where everything is,” he said.

He also said that even when a company discovers an intrusion, the cyber criminals go quiet, which means security leaders sometimes assume a lack of activity means the threat is gone when it isn’t.

China and open source

The report states that “Not only does China invest far more effort in open-source collection than other countries, the ‘back-end’ components – analysis, customer interaction, and feedback to collectors – also play a much larger part, as befits a nation whose progress depends more on adaptation than innovation.”

The combination of poor security solution coverage for Linux and highly tailored, complex malware has resulted in a suite of adversary tools that has largely —if not entirely—gone undetected for years.

Cornelius also said that using open source software makes sense for cyber criminals because they can use work that someone else has already done and because there is more plausible deniability.

“When people find it, they’ll have a difficult time finding any attribution beyond open source framework,” he said. “When you custom develop software from the ground up, you put a lot of yourself into it which allows for meaningful attribution.”

Cornelius said there are several nuanced challenges in bringing a Linux defense to market.

“Because security teams are underfunded and understaffed, they are probably not going to develop bespoke solutions for Linux,” he said.

Cornelius also pointed out that everyone running Windows has the same kernel but every distribution of Linux does it slightly differently.

Adware code-signing certificates

The report also analyzes attacks that use adware code-signing certificates, a tactic that the attackers hope will allow genuine security threats to hide in the constant stream of adware alerts. The report examines multiple samples of malware accompanied by the adware code-signing certificates.

Cornelius said that signing malware with ad certificates is a clever choice. Amid the daily deluge of security alerts, some warnings indicate real security risks, some are false positives, and some fall in the middle, like the ad certificates.

“What they’re doing is creating something really truly bad and attempting to pass it off as only being kind of bad,” Cornelius said.

The RAT report authors said that by hiding behind adware, bad actors are directly targeting the
psychology and methodology of security analysts to exploit inherent weaknesses in
their assumptions because “alert fatigue is real, and adware is boring.”

The authors have seen these techniques used by a number of other nation state actors to avoid analysis and create a layer of misdirection that’s hard to spot. The report includes a list of compromised adware and greyware code-signing certificates and associated malicious binaries in the appendix.

BlackBerry researchers have discovered that the Linux splinter hacker groups have developed and deployed several tools, collectively referred to as the WINNTILNX toolset.
Image: BlackBerry