Researchers have discovered a never-before-seen framework that infects Linux machines with a large assortment of modules which might be notable for the range of advanced capabilities they supply to attackers.
The framework, known as VoidLink by its source code, features greater than 30 modules that might be used to customize capabilities to satisfy attackers’ needs for every infected machine. These modules can provide additional stealth and specific tools for reconnaissance, privilege escalation, and lateral movement inside a compromised network. The components might be easily added or removed as objectives change over the course of a campaign.
A give attention to Linux contained in the cloud
VoidLink can goal machines inside popular cloud services by detecting if an infected machine is hosted inside AWS, GCP, Azure, Alibaba, and Tencent, and there are indications that developers plan so as to add detections for Huawei, DigitalOcean, and Vultr in future releases. To detect which cloud service hosts the machine, VoidLink examines metadata using the respective vendor’s API.
Similar frameworks targeting Windows servers have flourished for years. They’re less common on Linux machines. The feature set is unusually broad and is “way more advanced than typical Linux malware,” said researchers from Checkpoint, the safety firm that discovered VoidLink. Its creation may indicate that the attacker’s focus is increasingly expanding to incorporate Linux systems, cloud infrastructure, and application deployment environments, as organizations increasingly move workloads to those environments.
“VoidLink is a comprehensive ecosystem designed to take care of long-term, stealthy access to compromised Linux systems, particularly those running on public cloud platforms and in containerized environments,” the researchers said in a separate post. “Its design reflects a level of planning and investment typically related to skilled threat actors somewhat than opportunistic attackers, raising the stakes for defenders who may never realize their infrastructure has been quietly taken over.”
