VoidLink includes an unusually broad and advanced array of capabilities.<\/h5>\n\n\n\n
By Dan Goodin<\/p>\n\n\n\n Researchers have discovered a never-before-seen framework that infects Linux machines with a wide assortment of modules that are notable for the range of advanced capabilities they provide to attackers.<\/p>\n\n\n\n The framework, referred to as VoidLink by its source code, features more than 30 modules that can be used to customize capabilities to meet attackers\u2019 needs for each infected machine. These modules can provide additional stealth and specific tools for reconnaissance, privilege escalation, and lateral movement inside a compromised network. The components can be easily added or removed as objectives change over the course of a campaign.<\/p>\n\n\n\n VoidLink can target machines within popular cloud services by detecting if an infected machine is hosted inside AWS, GCP, Azure, Alibaba, and Tencent, and there are indications that developers plan to add detections for Huawei, DigitalOcean, and Vultr in future releases. To detect which cloud service hosts the machine, VoidLink examines metadata using the respective vendor\u2019s API.<\/p>\n\n\n\n Similar frameworks targeting Windows servers have flourished for years. They are less common on Linux machines. The feature set is unusually broad and is \u201cfar more advanced than typical Linux malware,\u201d said<\/a> researchers from Checkpoint, the security firm that discovered VoidLink. Its creation may indicate that the attacker\u2019s focus is increasingly expanding to include Linux systems, cloud infrastructure, and application deployment environments, as organizations increasingly move workloads to these environments.<\/p>\n\n\n\n \u201cVoidLink is a comprehensive ecosystem designed to maintain long-term, stealthy access to compromised Linux systems, particularly those running on public cloud platforms and in containerized environments,\u201d the researchers said in a separate post<\/a>. \u201cIts design reflects a level of planning and investment typically associated with professional threat actors rather than opportunistic attackers, raising the stakes for defenders who may never realize their infrastructure has been quietly taken over.\u201d<\/p>\n\n\n\n The VoidLink interface is localized for Chinese-affiliated operators, an indication that it likely originates from a Chinese-affiliated development environment. Symbols and comments within the source code suggest that VoidLink remains under development. Another sign the framework is not yet completed: Checkpoint found no signs it has infected any machines in the wild. Company researchers discovered it last month in a series of clusters of Linux malware available through VirusTotal<\/a>.<\/p>\n\n\n\n Included in the batch of binaries was a two-stage loader. The final implant includes core modules embedded that can be augmented by plugins that are downloaded and installed at runtime. The capabilities of the 37 modules discovered so far include:<\/p>\n\n\n\n With no indication that VoidLink is actively targeting machines, there\u2019s no immediate action required by defenders, although they can obtain indicators of compromise from the Checkpoint blog post. VoidLink still indicates defenders should apply vigilance when working with Linux machines.<\/p>\n","protected":false},"excerpt":{"rendered":" Linux server malware is not a new thing at all since Linux dominates the server space, but during the time of many going from Windows 10 to Linux as they won’t run Windows 11, a major publishing house with advertising from Microsoft doing a piece like this about Linux looks a little bit like propaganda. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,7],"tags":[],"class_list":["post-15283","post","type-post","status-publish","format-standard","hentry","category-tech","category-world"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/15283","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=15283"}],"version-history":[{"count":1,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/15283\/revisions"}],"predecessor-version":[{"id":15284,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/15283\/revisions\/15284"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=15283"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=15283"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=15283"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"\/](\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2023\/07\/exploit-vulnerability-security.jpg\")
A focus on Linux inside the cloud<\/h2>\n\n\n\n
\n