December 12, 2024 at 05:38PM A newly discovered Linux rootkit malware, Pumakit, incorporates stealth and privilege escalation techniques. It consists of multiple components, including a dropper and kernel/userland rootkits. Discovered by Elastic Security, it targets older Linux kernels for espionage and theft, employing sophisticated infection methods and hiding capabilities from system tools and logs. ### … Read more
November 21, 2024 at 03:09PM ESET researchers have identified two new Linux malware families: ‘WolfsBane,’ a backdoor linked to the Chinese Gelsemium group, and ‘FireWood,’ potentially used by various APT groups. Both target Linux systems, highlighting a trend as attackers seek new vulnerabilities amid enhanced Windows security measures. WolfsBane employs sophisticated evasion techniques. ### Meeting … Read more
November 4, 2024 at 12:49PM The UK’s NCSC analyzed “Pygmy Goat,” a Linux malware targeting Sophos XG firewalls used in attacks by Chinese threat actors. It employs advanced techniques for maintaining persistence and remote access. The report offers detection strategies and highlights similarities with “Castletap” malware linked to state-sponsored actors. ### Meeting Takeaways 1. **Malware … Read more
October 14, 2024 at 06:21PM North Korean hackers are deploying a new Linux variant of FASTCash malware, targeting payment switch systems at financial institutions for unauthorized cash withdrawals. This variant, first noted in June 2023, manipulates transaction messages to bypass declines, facilitating thefts akin to previous FASTCash operations since 2016. **Meeting Takeaways:** 1. **New Threat … Read more
October 3, 2024 at 10:39AM Summary: The Linux malware “perfctl” has evaded detection for at least three years, targeting servers for cryptomining purposes. It exploits misconfigurations and known vulnerabilities to gain initial access, deploys rootkits for evasion, and communicates with threat actors over TOR. Aqua Nautilus offers detection and mitigation strategies to combat perfctl’s activities. … Read more
September 13, 2024 at 01:11PM Hackers are focusing on Oracle WebLogic servers to inject them with a new Linux malware called “Hadooken.” This malware initiates a cryptominer and a tool for distributed denial-of-service (DDoS) attacks. Based on the meeting notes, it is evident that there is a significant security concern related to hackers targeting Oracle … Read more
September 13, 2024 at 08:03AM A new Linux malware named Hadooken targets Oracle WebLogic servers to install additional malware and extract credentials. It is deployed through attacks exploiting weak passwords, then downloads shell and Python scripts to ensure successful execution. Hadooken drops a cryptominer and Tsunami malware, and creates cronjobs for persistence. Other ransomware families’ … Read more
August 25, 2024 at 12:48PM ‘Sedexp’ is a stealthy Linux malware that has been evading detection since 2022 by using a persistence technique not included in the MITRE ATT&CK framework. Based on the meeting notes, the key takeaways are: 1. A Linux malware named ‘sedexp’ has been evading detection since 2022. 2. It uses a … Read more
August 25, 2024 at 02:36AM Cybersecurity researchers have discovered a stealthy Linux malware called sedexp, utilized by financially motivated threat actors since 2022. Noteworthy for using udev rules to maintain persistence, the malware runs upon system reboot, enabling remote access and memory modification to conceal its presence. It has been observed hiding credit card scraping … Read more
June 15, 2024 at 01:15PM The newly discovered Linux malware named ‘DISGOMOJI’ uses emojis for executing commands on infected devices in attacks on Indian government agencies, related to a Pakistan-based threat actor known as ‘UTA0137.’ This novel approach allows the malware to potentially bypass security software. DISGOMOJI maintains persistence on devices and aims to exfiltrate … Read more