There’s no shortage of reasons why an SMB might use Linux to run their business: There are plenty of distros to choose from, it’s (generally) free, and perhaps above all — it’s secure.
The common wisdom goes that Linux malware is rare, and for the most part this is true. Thanks to its built-in security defenses, strict user privilege model, and transparent source code, Linux enjoys far fewer malware infections than other operating systems.
But unfortunately, there’s more to Linux security than just leaning back in your chair and sipping piña coladas. There are dozens of Linux malware families out there today threatening SMBs with anything from ransomware to DDoS attacks.
In this post, we’ll give you an overview of five Linux malware families your SMB should be protecting itself against — and how they work.
1. Cloud Snooper
In early 2020, researchers found something weirdgoing on with Linux servers hosted by Amazon Web Services (AWS). Specifically, they noticed some servers were receiving some anomalous inbound traffic.
In a perfect world, the firewalls of our servers would only allow web traffic in from trusted ports. With the Cloud Snooper malware, however, untrusted web traffic sneaks past firewalls and enters right into Linux servers — a big no-no.
How it works
The hackers pull this off with a rootkit, a set of malware tools that gives someone the highest privileges in a system. Attackers use the rootkit to then install a backdoor trojanwhich can steal sensitive data from the servers.
At a high level, Cloud Snooper gets past firewall rules by sending innocent-looking requests to the web server which actually contain hidden instructions for the backdoor trojan. From there, the attackers can do anything from log computer activity, steal data, or delete files.
It’s still unclear how the malware is installed in the first place, though the researchers think attackers break into servers using SSH.
If you wake up one morning and find that all of your files are encrypted along with a ransom note demanding a Bitcoin payment — you just may have been hit with QNAPCrypt.
QNAPCrypt is ransomware that specifically targets Linux-based NAS (Network Attached Storage) servers. It gets its name from QNAP, a popular vendor for selling NAS servers.
How it works
QNAPCrypt exploits a vulnerability in QNAP NAS running HBS 3(Hybrid Backup Sync) to allow remote attackers to log in to a device. Once launched, the ransomware iterates through a list of files and encrypts them with an encryption algorithm, with the .encryptextension being appended to affected files.
According to recent posts in a BleepingComputer forum, ransom payments are about .024BTC (~$720 USD as of June 2022).
Does your SMB use VMware ESXi servers? If so, you better watch out for Cheerscrypt, another Linux-based ransomware.
How it works
Upon execution, Cheerscrypt hijacks the ESXCLI tool — which allows for remote management of ESXi hosts — and uses it to terminate all VM processes. From there, hackers can encrypt all of your VMware-related files and rename them to the .Cheersextension.
The ransom note, named “How to Restore Your Files.txt”, threatens to expose company data if the ransom is not paid.
Cheerscrypt is not the only Linux ransomware targeting ESXi virtual machines: theres also BlackBasta.
HiddenWasp is a new strain of Linux malware that remotely controls infected systems with an initial deployment script, a trojan, and a rootkit.
How it works
After HiddenWasp installs all of the malware components to your computer, the deployment script begins to execute the trojan and add the rootkit. The rootkit is added then to a given process, where it hides the existenceof the trojan. The trojan, in turn, helps the rootkit remain operational.
From there, attackers can execute files, spy on computer usage, change system configurations, and so on — all while being unseen.
From manufacturing to healthcare, tons of industries today are using the Internet-of-Things (IoT) to help streamline their operations — and at the heart of every IoT device is Linux. Mirai, a botnet responsible for the “takedown of the Internet” in 2016, takes advantage of this by hijacking IoT hardware to launch DDoS attacks.
How it works
Mirai is a self-replicating worm that scans for and infects vulnerable IoT devices that use default or weak usernames and passwords. Once infected, these compromised IoT devices can be told what to do via a central set of command and control (C&C) servers, specifically to launch DDoS attacks.
While Mirai itself may not be around anymore, its source code lives on inseveral other botnets variants including Hajime, SYLVEON, and SORA.
Stop Linux malware from getting a hold on your organization
It may be true that Linux is more secure than most other operating systems, but make no mistake — Linux malware exists, and can have devastating effects on SMBs.
While we have given a brief overview of five Linux malware families, there are dozens more out there, each with their own unique payload. From ransomware and rootkits to trojans and botnets, there’s a slew of threats SMBs using Linux need to protect themselves against.
With Malwarebytes EDR for Linux, you can simplify protection, detection, and response capabilities across your entire organization. Even brand-new, unidentified Linux malware can typically be eliminated before it can impact your data center servers.
Additionally, applying in-depth insights from our proprietary Linking Engine remediation technology, Malwarebytes thoroughly and permanently removes both the infection and any malware artifacts, delivering lethal “one-and-done” remediation.
Malwarebytes EDR prevents, detects, and responds to ransomware, malware, trojans, rootkits, backdoors, viruses, brute force attacks, and "zero-day" unknown threats so you can avoid business disruption and financial loss.