The new malware, VoidLink, has an automatic self-removal system.

The new malware, VoidLink, has an automatic self-removal system, heading to attack Linux users.

The Linux operating system, although open, is usually known for its security that is more than Windows, and its users tend to be computer experts with greater security, but not malware at all.

According to a report by the website Cyber Security News, a research team from Check Point, a cybersecurity management specialist, detected a VoidLink malware distribution campaign that focuses on attacking cloud systems that use the Linux operating system to manage the system. This malware has a great ability to evade detection and also has the ability to erase itself after it is completed. The malware is written in Zig, often a programming language used to develop cloud infrastructure, demonstrating the purpose of this particular malware attack. Another ability The scary thing is that it has the ability to adapt itself to a cloud of multiple providers that often behave and their different nature of operation. The malware supports the following clouds: AWS, GCP, Azure, Alibaba, and Tencent. The malware runs in Kubernetes or Docker's container and then starts detecting cloud behavior and modifying attack tactics from within the packer.

The malware also supports 37 plug-ins. These plug-ins run in the form of an Object loaded through Runtime and run directly through memory, similar to the Beacon Object of Cobalt Strike malware. In addition, the malware has the ability to steal passwords in cloud environments and from many system control tools such as Git, etc., making it easy for hackers to access classified data inside the cloud.

As for the ability to lurk on the system that is the hallmark of this malware, the malware, after it has been successfully installed on the target's machine, scans for security tools and the Kernel Hardening Technology, as well as EDR tools. After the scan is completed, the malware will start to perform risk calculations to find the best means of evasion. For example, in conditions of intensive detection, the malware will reduce the speed of operation, which can be called highly intelligent malware.

As for the attack on the Linux kernel, the malware releases Rootkit tools that match the kernel version. For example, if a version below 4.0 is an implementation of LD _ PRELOAD, version 4.0 or higher will be an implementation of Rootkit with the ability to hide processes, files, and Network Socket, as well as Rootkit's own modules. But if it is version 5.5 or higher with eBPF support, it will release Rootkit based on eBPF. It is considered malware with the ability to adapt. Excellent.

Even worse, the malware contains special code that has the ability to decrypt itself in the Protected Region on memory and encrypt itself in times of inactivity, making the detection system even more difficult to detect. It also detects any debugging attempts and tampering attempts. If you detect them, the malware will erase itself and all traces that occur on the system immediately to create difficulties for the analysis team.

# linux # Trending # Lemon 8 Howtoo # lemon 8 diary # freedomhack