Heh, my work has a firewall policy: any activity towards TOR servers flags an alert and makes security contact you. If you don't confirm it was by design, they'll start full scale "computer compromised" procedure. (And if you do confirm it it was by design, then they'll ask you to change that design if possible :) )<p>I thought it was overly paranoid, but it seems that would have really helped in this case.
A lot of focus on the malware itself, but not so much on the misconfigurations and vulnerabilities which enable it. Would love to see that list. Other than that, the evasion techniques look pretty traditional.<p>And of course the privilege escalation is done by a polkit vulnerability...
"CVE-2023-33246 is a vulnerability found in RocketMQ, which is a software that manages messages"<p>A more appropriate but less clickbaity title would be "Stealthy malware targetting servers running RocketMQ"
From the article:<p>> "Aqua Nautilus researchers aim to shed light on a Linux malware that, over the past 3-4 years, has actively sought more than 20,000 types of misconfigurations in order to target and exploit Linux servers. If you have a Linux server connected to the internet, you could be at risk. In fact, given the scale, we strongly believe the attackers targeted millions worldwide with a potential number of victims of thousands, it appears that with this malware any Linux server could be at risk.<p>...<p>- It utilizes rootkits to hide its presence.<p>- When a new user logs into the server, it immediately stops all “noisy” activities, lying dormant until the server is idle again.<p>- It utilizes Unix socket for internal communication and TOR for external communication.<p>- After execution, it deletes its binary and continues to run quietly in the background as a service.<p>- It copies itself from memory to various locations on the disk, using deceptive names.<p>- It opens a backdoor on the server and listens for TOR communications.<p>- It attempts to exploit the Polkit vulnerability (CVE-2021-4043) to escalate privileges.<p>In all the attacks observed, the malware was used to run a cryptominer, and in some cases, we also detected the execution of proxy-jacking software. During one of our sandbox tests, the threat actor utilized one of the malware’s backdoors to access the honeypot and started deploying some new utilities to better understand the nature of our server, trying to understand what exactly we are doing to its malware."<p>The article goes into more depth of the attack flow, what the malware does, and how they detected it.
I've been dealing with something similar - maybe actually this for 2 months.<p>There were so.e great insights from this researcher but they're missing some very fucked up elements of this malware.<p>1. I'm pretty sure it has. "fuck with it" scale. It leaves you alone if you don't fuck with it. In fact, I'd bet money that this malware did all the cryptocurrency shit for a reason like a bait and switch.<p>2. It effects android too. Doesn't seem to matter what device or how updated it is.<p>3. And windows.<p>4. It isn't persistent through rootkits. I mean, it is. But it's also deeper. My current thinking is that is persistent on my machines using the RAM training alorithms to spin itself up. From..<p>5. Your display. I have four displays that have had their firmware fucked with. Just discovered it's on a brand new mobo that I set up ensuring there was not a single peripheral I'd used before, no leds. Hadn't even installed an os before running a ram only mode Linux session from a hardware write protected usb THROUGH a write protected usb bridge. The only thing it was connected to that wasn't new was my monitor, and the UBS key (created from a secure pc and immediately write protected).<p>I think that this thing is EVERYWHERE. I've seen references in bash files from the initramfs that allude to escalating is action based on variables I. Ould t pin down
Here is Ars Technica's write up: <a href="https://arstechnica.com/security/2024/10/persistent-stealthy-linux-malware-has-infected-thousands-since-2021/" rel="nofollow">https://arstechnica.com/security/2024/10/persistent-stealthy...</a>