The Hacker News Logo
Subscribe to Newsletter

The Hacker News — Cyber Security and Hacking News Website: Linux malware

EvilGnome: A New Backdoor Implant Spies On Linux Desktop Users

EvilGnome: A New Backdoor Implant Spies On Linux Desktop Users

July 17, 2019Swati Khandelwal
Security researchers have discovered a rare piece of Linux spyware that's currently fully undetected across all major antivirus security software products, and includes rarely seen functionalities with regards to most Linux malware, The Hacker News learned. It's a known fact that there are a very few strains of Linux malware exist in the wild as compared to Windows viruses because of its core architecture and also due to its low market share, and also many of them don't even have a wide range of functionalities. In recent years, even after the disclosure of severe critical vulnerabilities in various flavors of Linux operating systems and software, cybercriminals failed to leverage most of them in their attacks. Instead, a large number of malware targeting Linux ecosystem is primarily focused on cryptocurrency mining attacks for financial gain and creating DDoS botnets by hijacking vulnerable servers. However, researchers at security firm Intezer Labs recently d
This Cryptomining Malware Launches Linux VMs On Windows and macOS

This Cryptomining Malware Launches Linux VMs On Windows and macOS

June 21, 2019Mohit Kumar
Cybersecurity researchers from at least two firms today unveiled details of a new strain of malware that targets Windows and macOS systems with a Linux-based cryptocurrency mining malware. It may sound strange, but it's true. Dubbed " LoudMiner " and also " Bird Miner, " the attack leverages command-line based virtualization software on targeted systems to silently boot an image of Tiny Core Linux OS that already contains a hacker-activated cryptocurrency mining software in it. Isn't it interesting to use emulation to run single-platform malware on cross-platforms? Spotted by researchers at ESET and Malwarebytes , attackers are distributing this malware bundled with pirated and cracked copies of VST (Virtual Studio Technology) software on the Internet and via Torrent network since August 2018. VST applications contain sounds, effects, synthesizers, and other advanced editing features that allow tech-centric audio professionals to create music.
Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

January 25, 2018Mohit Kumar
Are you using Linux or Mac OS? If you think your system is not prone to viruses, then you should read this. Wide-range of cybercriminals are now using a new piece of 'undetectable' spying malware that targets Windows, macOS, Solaris and Linux systems. Just last week we published a detailed article on the report from EFF/Lookout that revealed a new advanced persistent threat (APT) group, called Dark Caracal , engaged in global mobile espionage campaigns. Although the report revealed about the group's successful large-scale hacking operations against mobile phones rather than computers, it also shed light on a new piece of cross-platform malware called CrossRAT (version 0.1), which is believed to be developed by, or for, the Dark Caracal group. CrossRAT is a cross-platform remote access Trojan that can target all four popular desktop operating systems, Windows, Solaris, Linux, and macOS, enabling remote attackers to manipulate the file system, take screenshots, ru
New Mirai Okiru Botnet targets devices running widely-used ARC Processors

New Mirai Okiru Botnet targets devices running widely-used ARC Processors

January 15, 2018Mohit Kumar
The cybersecurity threat landscape has never been more extensive and is most likely to grow exponentially in 2018. Although the original creators of Mirai DDoS botnet have already been arrested and jailed, the variants of the infamous IoT malware are still in the game due to the availability of its source code on the Internet. Security researchers have spotted a new variant of infamous Mirai IoT malware designed to hijack insecure devices that run on ARC embedded processors. Until now, Mirai and its variants have been targeting CPU architectures— including x86, ARM, Sparc, MIPS, PowerPC and Motorola 6800 —deployed in millions of Internet of Things (IoT) devices. Dubbed Okiru , the new Mirai variant, first spotted by @unixfreaxjp from MalwareMustDie team and notified by independent researcher Odisseus , is a new piece of ELF malware that targets ARC-based embedded devices running Linux operating system. " This is the FIRST TIME ever in the history of computer eng
Linux Trojan Using Hacked IoT Devices to Send Spam Emails

Linux Trojan Using Hacked IoT Devices to Send Spam Emails

September 22, 2017Wang Wei
Botnets, like Mirai , that are capable of infecting Linux-based internet-of-things (IoT) devices are constantly increasing and are mainly designed to conduct Distributed Denial of Service (DDoS) attacks, but researchers have discovered that cybercriminals are using botnets for mass spam mailings. New research conducted by Russian security firm Doctor Web has revealed that a Linux Trojan, dubbed Linux.ProxyM that cybercriminals use to ensure their online anonymity has recently been updated to add mas spam sending capabilities to earn money. The Linux.ProxyM Linux Trojan, initially discovered by the security firm in February this year, runs a SOCKS proxy server on an infected IoT device and is capable of detecting honeypots in order to hide from malware researchers. Linux.ProxyM can operate on almost all Linux device, including routers, set-top boxes, and other equipment having the following architectures: x86, MIPS, PowerPC, MIPSEL, ARM, Motorola 68000, Superh and SPARC.
Hacker Sentenced to 46 Months in Prison for Spreading Linux Malware

Hacker Sentenced to 46 Months in Prison for Spreading Linux Malware

August 04, 2017Wang Wei
A Russian man accused of infecting tens of thousands of computer servers worldwide to generate millions in fraudulent payments has been imprisoned for 46 months (nearly four years) in a United States' federal prison. 41-year-old Maxim Senakh , of Velikii Novgorod, was arrested by Finnish police in August 2015 for his role in the development and maintenance of the infamous Linux botnet called Ebury that siphoned millions of dollars from victims worldwide. Senakh was extradited to the United States in February 2016 to face charges and pleaded guilty in late March this year after admitting of creating a massive Ebury botnet and personally being profited from the scheme. First spotted in 2011, Ebury is an SSH backdoor Trojan for Linux and Unix-style operating systems, such as FreeBSD or Solaris, which gives attackers full shell control of an infected machine remotely even if the password for affected user account is changed regularly. Senakh and his associates used the malw
CowerSnail — Windows Backdoor from the Creators of SambaCry Linux Malware

CowerSnail — Windows Backdoor from the Creators of SambaCry Linux Malware

July 27, 2017Mohit Kumar
Last month, we reported about a group of hackers exploiting SambaCry —a 7-year-old critical remote code execution vulnerability in Samba networking software—to hack Linux computers and install malware to mine cryptocurrencies. The same group of hackers is now targeting Windows machines with a new backdoor, which is a QT-based re-compiled version of the same malware used to target Linux. Dubbed CowerSnail , detected by security researchers at Kaspersky Labs as Backdoor.Win32.CowerSnail, is a fully-featured windows backdoor that allows its creators to remotely execute any commands on the infected systems. Wondering how these two separate campaigns are connected? Interestingly, the CowerSnail backdoor uses the same command and control (C&C) server as the malware that was used to infect Linux machines to mine cryptocurrency last month by exploiting the then-recently exposed SambaCry vulnerability. Common C&C Server Location — cl.ezreal.space:20480 SambaCry vulnerabi
Web Hosting Company Pays $1 Million to Ransomware Hackers to Get Files Back

Web Hosting Company Pays $1 Million to Ransomware Hackers to Get Files Back

June 19, 2017Mohit Kumar
South Korean web hosting provider has agreed to pay $1 million in bitcoins to hackers after a Linux ransomware infected its 153 servers, encrypting 3,400 business websites and their data, hosted on them. According to a blog post published by NAYANA, the web hosting company, this unfortunate event happened on 10th June when ransomware malware hit its hosting servers and attacker demanded 550 bitcoins (over $1.6 million) to unlock the encrypted files. However, the company later negotiated with the cyber criminals and agreed to pay 397.6 bitcoins (around $1.01 million) in three installments to get their files decrypted. The hosting company has already paid two installments at the time of writing and would pay the last installment of ransom after recovering data from two-third of its infected servers. According to the security firm Trend Micro , the ransomware used in the attack was Erebus that was first spotted in September last year and was seen in February this year with Win
Hacker Who Used Linux Botnet to Send Millions of Spam Emails Pleads Guilty

Hacker Who Used Linux Botnet to Send Millions of Spam Emails Pleads Guilty

March 29, 2017Mohit Kumar
A Russian man accused of infecting tens of thousands of computer servers worldwide to generate millions in illicit profit has finally entered a guilty plea in the United States and is going to face sentencing in August. Maxim Senakh, 41, of Velikii Novgorod, Russia, pleaded guilty in a US federal court on Tuesday for his role in the development and maintenance of the infamous Linux botnet known as Ebury that siphoned millions of dollars from victims worldwide. Senakh, who was detained by Finland in August 2015 and extradition to the US in January 2016, admitted to installing Ebury malware on computer servers worldwide, including thousands in the United States. First spotted in 2011, Ebury is an SSH backdoor Trojan for Linux and Unix-style operating systems, like FreeBSD or Solaris, which infected more than 500,000 computers and 25,000 dedicated servers in a worldwide malware campaign called ' Operation Windigo .' Ebury backdoor gives attackers full shell control of
New Trojan Turns Thousands Of Linux Devices Into Proxy Servers

New Trojan Turns Thousands Of Linux Devices Into Proxy Servers

January 25, 2017Wang Wei
" Linux doesn't get viruses " — It's a Myth. A new Trojan has been discovered in the wild that turns Linux-based devices into proxy servers, which attackers use to protect their identity while launching cyber attacks from the hijacked systems. Dubbed Linux.Proxy.10 , the Trojan was first spotted at the end of last year by the researchers from Russian security firm Doctor Web, who later identified thousand of compromised machines by the end of January this year and the campaign is still ongoing and hunting for more Linux machines. According to researchers, the malware itself doesn't include any exploitation module to hack into Linux machines; instead, the attackers are using other Trojans and techniques to compromise devices at the first place and then create a new backdoor login account using the username as " mother " and password as " fucker ." Once backdoored and the attacker gets the list of all successfully compromised Linux ma
New IoT Botnet Malware Discovered; Infecting More Devices Worldwide

New IoT Botnet Malware Discovered; Infecting More Devices Worldwide

November 01, 2016Swati Khandelwal
The whole world is still dealing with the Mirai IoT Botnet that caused vast internet outage last Friday by launching massive distributed denial of service (DDoS) attacks against the DNS provider Dyn, and researchers have found another nasty IoT botnet. Security researchers at MalwareMustDie have discovered a new malware family designed to turn Linux-based insecure Internet of Things (IoT) devices into a botnet to carry out massive DDoS attacks. Dubbed Linux/IRCTelnet , the nasty malware is written in C++ and, just like Mirai malware , relies on default hard-coded passwords in an effort to infect vulnerable Linux-based IoT devices. The IRCTelnet malware works by brute-forcing a device's Telnet ports, infecting the device's operating system, and then adding it to a botnet network which is controlled through IRC (Internet Relay Chat) – an application layer protocol that enables communication in the form of text. So, every infected bot (IoT device) connects to a mali
Advanced Malware targeting Internet of the Things and Routers

Advanced Malware targeting Internet of the Things and Routers

March 31, 2016Mohit Kumar
Anything connected to the Internet could be hacked and so is the Internet of Things (IoTs) . The market fragmentation of IoTs or Internet-connected devices is a security nightmare, due to poor security measures implemented by their vendors. Now, the researchers at security firm ESET have discovered a piece of Malware that is targeting embedded devices such as routers, and other connected devices like gateways and wireless access points, rather than computers or smartphones. Dubbed KTN-Remastered or KTN-RM , the malware is a combination of both Tsunami (or Kaiten) as well as Gafgyt. Tsunami is a well-known IRC ( Internet Relay Chat ) bot used by miscreants for launching Distributed Denial of Service (DDoS) attacks while Gafgyt is used for Telnet scanning. KTN-RM, which researcher dubbed ' Remaiten ,' features an improved spreading mechanism by carrying downloader executable binaries for embedded platforms and other connected devices. How Does the
Warning — Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System

Warning — Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System

February 21, 2016Swati Khandelwal
Are you also the one who downloaded Linux Mint on February 20th? You may have been Infected! Linux Mint is one of the best and popular Linux distros available today, but if you have downloaded and installed the operating system recently you might have done so using a malicious ISO image. Here's why: Last night, Some unknown hacker or group of hackers had managed to hack into the Linux Mint website and replaced the download links on the site that pointed to one of their servers offering a malicious ISO images for the Linux Mint 17.3 Cinnamon Edition . "Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it," the head of Linux Mint project Clement Lefebvre said in a surprising announcement dated February 21, 2016. Who are affected? As far as the Linux Mint team knows, the issue only affects the one edition, and that is Linux Mint 17.3 Cinnamon edition. The situation happened last night, s
Vigilante Hackers Aim to Hijack 200,000 Routers to Make Them More Secure

Vigilante Hackers Aim to Hijack 200,000 Routers to Make Them More Secure

February 10, 2016Swati Khandelwal
The same "Vigilante-style Hacker," who previously hacked more than 10,000 routers to make them more secure, has once again made headlines by compromising more than 70,000 home routers and apparently forcing their owners to make them secure against flaws and weak passwords. Just like the infamous hacking group Lizard Squad , the group of white hat hackers, dubbed the White Team , is building up a sizeable botnet consisting of hundreds of thousands of home routers, but for a good purpose. Lizard Squad , the same group responsible for Sony PlayStation Network and Microsoft Xbox Live outages , uses their botnets to launch DDoS ( Distributed Denial of Service ) attacks against target websites to flood them with traffic and knock them offline. Hacking Routers to Make them More Secure Challenged by Lizard Squad's maliocus work, the White Team of vigilante hackers built their own peer-to-peer botnet that infects routers to close off vulnerabilities , such
Linux Ransomware targeting Servers and Threatening Webmasters to Pay

Linux Ransomware targeting Servers and Threatening Webmasters to Pay

November 09, 2015Swati Khandelwal
Since past few years, Ransomware has emerged as one of the catastrophic malware programs that lets hacker encrypts all the contents of a victim's hard drive or/and server and demands ransom (typically to be paid in Bitcoin ) in exchange for a key to decrypt it. Until now cyber criminals were targeting computers, smartphones and tablets, but now it appears they are creating ransomware that makes the same impact but for Web Sites – specifically holding files, pages and images of the target website for Ransom. Dubbed Linux.Encoder.1 by Russian antivirus firm Dr.Web , the new strain of ransomware targets Linux-powered websites and servers by encrypting MySQL, Apache, and home/root folders associated with the target site and asking for 1 Bitcoin ( ~ $300 ) to decrypt the files. The ransomware threat is delivered to the target website through known vulnerabilities in website plugins or third-party software. Must Read: FBI Suggests Ransomware Victims — 'Just Pay th
Incredible! Someone Just Hacked 10,000 Routers to Make them More Secure

Incredible! Someone Just Hacked 10,000 Routers to Make them More Secure

October 05, 2015Khyati Jain
Has anyone ever heard about a " Vigilante-style Hacker ," who hacks every possible system to make them more Secure? No. It's not funny, neither a movie story: Reportedly, someone is hacking thousands unprotected Wi-Fi routers everywhere and apparently forcing owners to make them more Secure. Security firm Symantec has discovered a new malware, dubbed " Linux.Wifatch " a.k.a " Ifwatch ," infected more than 10,000 vulnerable ' Internet of Things ' devices, and spreading quickly. However, Linux.Wifatch not only removes malicious backdoor but also encourages users to update their weak passwords. How Does Linux.Wifatch Work? Once a device is infected, the Linux.Wifatch malware connects to a peer-to-peer network that is being used to distribute threat updates. Linux.Wifatch's code does not deploy any payload for malicious activities, such as to carry out DDoS attacks , rather it detects and remediates the known
New Botnet Hunts for Linux — Launching 20 DDoS Attacks/Day at 150Gbps

New Botnet Hunts for Linux — Launching 20 DDoS Attacks/Day at 150Gbps

September 30, 2015Swati Khandelwal
A network of compromised Linux servers has grown so powerful that it can blow large websites off the Internet by launching crippling Distributed Denial-of-service (DDoS ) attacks of over 150 gigabits per second (Gbps). The distributed denial-of-service network, dubbed XOR DDoS Botnet , targets over 20 websites per day , according to an advisory published by content delivery firm Akamai Technologies. Over 90 percent of the XOR DDoS targets are located in Asia, and the most frequent targets are the gaming sector and educational institutions. XOR creator is supposed to be from China, citing the fact that the IP addresses of all Command and Control (C&C) servers of XOR are located in Asia, where most of the infected Linux machines also reside. How XOR DDoS Botnet infects Linux System? Unlike other DDoS botnets , the XOR DDoS botnet infects Linux machines via embedded devices such as network routers and then brute forces a machine's SSH service to gain ro
New GPU-based Linux Rootkit and Keylogger with Excellent Stealth and Computing Power

New GPU-based Linux Rootkit and Keylogger with Excellent Stealth and Computing Power

May 09, 2015Swati Khandelwal
The world of hacking has become more organized and reliable over recent years and so the techniques of hackers. Nowadays, attackers use highly sophisticated tactics and often go to extraordinary lengths in order to mount an attack. And there is something new to the list: A team of developers has created not one, but two pieces of malware that run on an infected computer’s graphics processor unit (GPU) instead of its central processor unit (CPU), in order to enhance their stealthiness and computational efficiency. The two pieces of malware: Jellyfish Rootkit for Linux operating system Demon Keylogger The source code of both the Jellyfish Rootkit and the Demon keylogger, which are described as proof-of-concepts malware, have been published on Github. Until now, security researchers have discovered nasty malware running on the CPU and exploiting the GPU capabilities in an attempt to mine cryptocurrencies such as Bitcoins. However, these two malware co
Exclusive Deals

Get Daily News Updates By Email

Join over 350,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.