The blog post “Linux Defense Evasion Techniques Detected by AhnLab EDR (1)” [1] covered methods where the threat actors and malware strains attacked Linux servers before incapacitating security services such as firewalls and security modules and then concealing the installed malware.
This post will cover additional defense evasion techniques against Linux systems not covered in the past post. For example, methods of concealing malware include having the running malware delete itself to not be noticed by an administrator, or deleting many log files containing the process from initial infiltration to malware installation. These actions can be taken by the threat actor, but there are malware strains that also use automated scripts. Because the goal of the threat actor is to execute the malware, they may grant all permissions instead of only the necessary ones before installing it.
AhnLab Endpoint Detection and Response (EDR) is a next-generation threat detection and response solution, providing powerful threat monitoring, analysis, and response capabilities for endpoint areas based on South Korea’s self-behavior-based engine. AhnLab EDR continuously collects information related to suspicious behaviors based on each type, allowing users to precisely perceive threats from a detection, analysis, and response perspective. Users then can conduct comprehensive analysis based on the data to identify causes, respond with appropriate measures, and establish processes to prevent threat recurrence.
This post will categorize the defense evasion techniques employed by the threat actors and malware against Linux systems and summarize the process for AhnLab EDR to detect such attacks.
1. Auto-delete
Unlike Windows, it is possible in Linux to delete the file of a running process. As such, many malware strains that target Linux systems tend to delete themselves after execution and run in the memory area to evade file detection. For example, Nood RAT (known as a Linux variant of Gh0st RAT) [2] and the BlueShell malware used in APT attacks against Korea and Thailand [3] [4] all delete themselves and run only in the memory. Of course, various other malware strains including Mirai and RotaJakiro [5] use the self-deletion technique as well.
AhnLab EDR detects the behavior of a running malware strain deleting itself as a threat and helps administrators become aware of this process in advance.
2. Deleting Logs
In Linux, logs on major events that occurred in the system are stored in the file “/var/log/syslog”. Syslog contains the kernel, demo, and scheduling information. Accordingly, there are cases where the threat actor or malware deletes log files such as Syslog to conceal the commands or behaviors they executed.
For example, Kinsing, a CoinMiner installed via poorly managed dockers, Redis servers, or vulnerability attacks, first uses a script to delete Syslog after initial infiltration. [6]
The “.bash_history” file which contains the commands that the user entered in shells such as Bash may also be deleted by the threat actor. For example, the script used by the Team TNT threat actor contains a command for deleting the “.bash_history” file to remove the logs containing the commands run by the malware. For reference, Team TNT is a threat actor that mines cryptocurrency by uploading a malicious docker container image installed with malware to a shared storage.
AhnLab EDR detects the malicious behaviors of deleting Syslog or the Bash history file as threats and helps administrators become aware of such processes in advance.
3. Suspicious Privilege Granting
RedXOR is a backdoor that became known in 2021 and is known to be used by a threat actor suspected of being sponsored by China. [7] RedXOR collects basic information from the system and can receive commands from the C&C server to perform functions such as command execution, file and process related tasks, and proxies.
Thus while it can only perform actual malicious behaviors after receiving commands from the C&C server, it is notable that it grants suspicious privileges during the installation process. It first copies itself into the “/root/.po1kitd.thumb/.po1kitd-update-k” path and registers itself to the Init service so that it can run after a reboot. It grants the 777 privilege to the “/etc/init.d/po1kitd-update” script which is in charge of the aforementioned process. AhnLab EDR detects such granting of suspicious privileges as a threat and helps administrators become aware of this process in advance.
4. Conclusion
Threat actors use defense evasion techniques such as deleting commands or logs during the attack process and removing the installed malware and have it run only in the memory area. Thus, administrators may find it difficult to track suspicious files or find traces of threat actors through logs.
AhnLab EDR detects suspicious behaviors used in the defense evasion stage as threats and key behaviors, allowing administrators to become aware of these in advance. Based on the detection, administrators can identify the cause and respond appropriately. Even after being exposed to an attack, they can also review the data from the affected system needed to investigate the infiltration incident as evidentiary data on the threat actor.
Behavior Detection
– DefenseEvasion/MDP.Remove.M11361
– DefenseEvasion/EDR.Delete.M11397
– SystemManipulation/EDR.Delete.M11458
– Execution/EDR.Chmod.M11395
AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.
The post Linux Defense Evasion Techniques Detected by AhnLab EDR (2) appeared first on ASEC BLOG.
MITRE ATT&CK TTPs – created by AI
Based on the article, here are some MITRE TTPs that can be created to match the described defense evasion techniques:
- T1070.001 – Indicator Removal on Host: File Deletion
- Description: Deleting logs such as Syslog and .bash_history to erase evidence of commands executed or activities performed by malware.
- T1070.002 – Indicator Removal on Host: Clear Windows Event Logs
- Description: Although this specifically mentions Windows logs, similar techniques are used in Linux systems to delete Syslog files to obscure activities.
- T1070.003 – Indicator Removal on Host: Clear Bash History
- Description: Deleting the
.bash_history
file to hide command execution history from shell sessions.
- Description: Deleting the
- T1040 – Network Sniffing
- Description: Not directly mentioned in the article, but related to some methods of privilege escalation and malware operation.
- T1071.001 – Application Layer Protocol: Application Layer Protocol
- Description: In the context of malware like RedXOR that communicates with a C&C server, this technique involves using application layer protocols to receive commands.
- T1203 – Exploit Public-Facing Application
- Description: Mentioned indirectly in the context of malware like Kinsing, which exploits vulnerabilities in poorly managed Docker containers or servers.
- T1071.003 – Application Layer Protocol: Custom Protocol
- Description: Custom protocols might be used for command and control communications by malware such as RedXOR.
These TTPs should help in understanding and identifying similar techniques in threat detection and response scenarios, especially in Linux environments.