Security researchers at Trend Micro described Tor-based botnet malware that targets Linux systems and cloud management tools. The threat actors can drop tools like ss, ps, and curl and scripts via the Tor network on the victim computers.
Linux is less attractive to cybercriminals but, as the security company reported, it attracts more and more attention from bad actors.
In the present campaign, attackers leverage multiple “emerging techniques” to spread malware on victims’ networks, researchers say. One of the techniques is the use of Tor (The Onion Router) through a network of proxies via the Socks5 protocol.
Moreover, attackers abuse such DevOps cloud management tools as Ansible, Chef, and Salt Stack to infect other systems with malware. According to Trend Micro experts, this is the first time that attackers abuse infrastructure-as-code (IaC) tools for the purpose of spreading malware.
“Their weaponization of IaC tools suggests that these malicious actors are also well aware of the adoption of new technologies nowadays. More instances of malicious actors hitching on new trends to facilitate their campaigns will likely emerge in the foreseeable future,” Trend Micro wrote in a blog post.
Compromising such centralized management or DevOps tools can have graver consequences, as they as a rule have a higher level of privileges and deploy code on many systems in the enterprise infrastructure. Researchers say recent SolarWinds and Azure/M365 cyberattacks against organizations are examples of this type of attack.
Researchers described other techniques used by the actors. For example, the use of Unix shell scripts in their attacks:
“We also found another technique that the malware uses to perform HTTP requests using shell script and Unix system design, as opposed to using binaries like curl or wget, to get more information on the infected systems.”
The researchers noted attackers used a Monero (XMR) miner XMRig in the campaign as well, which interestingly can remove competitor cryptocurrency miners from the systems.