Bootkitty: Analyzing the first UEFI bootkit for Linux
ESET's discovery of the first UEFI bootkit designed for Linux sendss an important message: UEFI bootkits are no longer confined to Windows systems alone.
Windows infected with backdoored Linux VMs in new phishing attacks
A new phishing campaign dubbed 'CRON#TRAP' infects Windows with a Linux virtual machine that contains a built-in backdoor to give stealthy access to corporate networks.
CRON#TRAP: Emulated Linux Environments as the Latest Tactic in Malware Staging - Securonix
In a rather novel attack chain, attackers deploy a custom-made emulated QEMU Linux box to persist on endpoints, delivered through phishing emails.
FASTCash for Linux
Analysis of a newly discovered Linux based variant of the DPRK attributed FASTCash malware along with background information on payment switches used in financial networks.
From Perfctl to InfoStealer
From Perfctl to InfoStealer, Author: Xavier Mertens
perfctl: A Stealthy Malware Targeting Millions of Linux Servers
Perfctl is particularly elusive and persistent malware employing several sophisticated techniques
The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation
This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes. It is similar to CVE-2016-5195 “Dirty Cow” but is easier to exploit. The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation
This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes. It is similar to CVE-2016-5195 “Dirty Cow” but is easier to exploit. The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
Unveiling sedexp: A Stealthy Linux Malware Exploiting udev Rules
Stroz Friedberg identified a stealthy malware, dubbed “sedexp,” utilizing Linux udev rules to achieve persistence and evade detection. This advanced threat, active since 2022, hides in plain sight while providing attackers with reverse shell capabilities and advanced concealment tactics.
The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation
This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes. It is similar to CVE-2016-5195 “Dirty Cow” but is easier to exploit. The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 1)
A few months ago, I stumbled upon a 24 years old buffer overflow in the glibc, the base library for linux programs. Despite being reachable in multiple well-known libraries or executables, it proved rarely exploitable — while it didn't provide much leeway, it required hard-to-achieve preconditions. Looking for targets lead mainly to disappointment. On PHP however, the bug shone, and proved useful in exploiting its engine in two different ways.
RansomHub Draws in Affiliates with Multi-OS Capability and High Commission Rates
Discover how RansomHub's ransomware-as-a-service targets Windows, Linux, and ESXi systems.
XZ backdoor behavior inside OpenSSH
In this article, we analyze XZ backdoor behavior inside OpenSSH, after it has achieved RSA-related function hook.
Shc Linux Malware Installing CoinMiner
The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl.
Linux Threat Hunting: 'Syslogk' a kernel rootkit found under development in the wild
Introduction Rootkits are dangerous pieces of malware. Once in place, they are usually really hard to detect. Their code is typically more challenging to write than other malware, so developers resort to code reuse from open source projects. As rootkits are very interesting to analyze, we are always looking out for these kinds of samples […]
Malicious PyPI package opens backdoors on Windows, Linux, and Macs
Yet another malicious Python package has been spotted in the PyPI registry performing supply chain attacks to drop Cobalt Strike beacons and backdoors on Windows, Linux, and macOS systems.
The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation
This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes. It is similar to CVE-2016-5195 “Dirty Cow” but is easier to exploit. The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
Linux-Targeted Malware Increases by 35% in 2021
CrowdStrike has observed that malware targeting Linux-based systems increased by 35% in 2021. XorDDoS, Mirai and Mozi were the most common malware families.
PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)
The Qualys Research Team has discovered a memory corruption vulnerability in polkit's pkexec, a SUID-root program that is installed by default on every major…
Shc Linux Malware Installing CoinMiner
The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl.
Linux Threat Hunting: 'Syslogk' a kernel rootkit found under development in the wild
Introduction Rootkits are dangerous pieces of malware. Once in place, they are usually really hard to detect. Their code is typically more challenging to write than other malware, so developers resort to code reuse from open source projects. As rootkits are very interesting to analyze, we are always looking out for these kinds of samples […]
Malicious PyPI package opens backdoors on Windows, Linux, and Macs
Yet another malicious Python package has been spotted in the PyPI registry performing supply chain attacks to drop Cobalt Strike beacons and backdoors on Windows, Linux, and macOS systems.
The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation
This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes. It is similar to CVE-2016-5195 “Dirty Cow” but is easier to exploit. The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
Linux-Targeted Malware Increases by 35% in 2021
CrowdStrike has observed that malware targeting Linux-based systems increased by 35% in 2021. XorDDoS, Mirai and Mozi were the most common malware families.
PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)
The Qualys Research Team has discovered a memory corruption vulnerability in polkit's pkexec, a SUID-root program that is installed by default on every major…
Kaspersky analysis of the backdoor in XZ
Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process.
The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind
The thwarted XZ Utils supply chain attack was years in the making. Now, clues suggest nation-state hackers were behind the persona that inserted the malicious code.
Check if you're vulnerable to CVE-2024-3094
CVE-2024-3094 is the new hot one and it’s extremely critical; however, impact should be limited as most normal linux distros are unaffected. Here’s some stuff to know:
Shc Linux Malware Installing CoinMiner
The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl.
Linux Threat Hunting: 'Syslogk' a kernel rootkit found under development in the wild
Introduction Rootkits are dangerous pieces of malware. Once in place, they are usually really hard to detect. Their code is typically more challenging to write than other malware, so developers resort to code reuse from open source projects. As rootkits are very interesting to analyze, we are always looking out for these kinds of samples […]