diff --git a/ATT&CK.md b/ATT&CK.md index b580605..89581fd 100644 --- a/ATT&CK.md +++ b/ATT&CK.md @@ -2,20 +2,20 @@ T1556.003: Pluggable Authentication Modules -* https://github.com/citronneur/pamspy (https://github.com/timb-machine/linux-malware/issues/466), citable: False +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False (TACTICS OR TECHNIQUES WRONG) * https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True * https://github.com/zephrax/linux-pam-backdoor (https://github.com/timb-machine/linux-malware/issues/181), citable: False * https://rosesecurityresearch.com/crafting-malicious-pluggable-authentication-modules-for-persistence-privilege-escalation-and-lateral-movement (https://github.com/timb-machine/linux-malware/issues/772), citable: False -* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True (TACTICS OR TECHNIQUES WRONG) * https://github.com/Achiefs/fim (https://github.com/timb-machine/linux-malware/issues/779), citable: False -* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True +* https://github.com/citronneur/pamspy (https://github.com/timb-machine/linux-malware/issues/466), citable: False T1056.001: Keylogging -* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False (TACTICS OR TECHNIQUES WRONG) * https://github.com/anko/xkbcat (https://github.com/timb-machine/linux-malware/issues/691), citable: False +* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False (TACTICS OR TECHNIQUES WRONG) T1003: OS Credential Dumping @@ -33,9 +33,9 @@ T1110.002: Password Cracking T1003.007: Proc Filesystem +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True * https://github.com/NetSPI/sshkey-grab (https://github.com/timb-machine/linux-malware/issues/619), citable: False -* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True (TACTICS OR TECHNIQUES WRONG) T1555.005: Password Managers @@ -43,18 +43,18 @@ T1555.005: Password Managers T1040: Network Sniffing -* https://github.com/Eterna1/puszek-rootkit (https://github.com/timb-machine/linux-malware/issues/670), citable: False * https://www.mandiant.com/resources/blog/messagetap-who-is-reading-your-text-messages (https://github.com/timb-machine/linux-malware/issues/542), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://github.com/Eterna1/puszek-rootkit (https://github.com/timb-machine/linux-malware/issues/670), citable: False * https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True (TACTICS OR TECHNIQUES WRONG) T1558: Steal or Forge Kerberos Tickets +* https://github.com/CiscoCXSecurity/linikatz (https://github.com/timb-machine/linux-malware/issues/156), citable: False +* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False * https://github.com/CiscoCXSecurity/presentations/raw/master/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf (https://github.com/timb-machine/linux-malware/issues/241), citable: False +* https://github.com/blacklanternsecurity/KCMTicketFormatter (https://github.com/timb-machine/linux-malware/issues/519), citable: False * https://github.com/fireeye/SSSDKCMExtractor (https://github.com/timb-machine/linux-malware/issues/520), citable: False (TACTICS OR TECHNIQUES WRONG) * https://blog.talosintelligence.com/2018/12/PortcullisActiveDirectory.html (https://github.com/timb-machine/linux-malware/issues/240), citable: False -* https://github.com/blacklanternsecurity/KCMTicketFormatter (https://github.com/timb-machine/linux-malware/issues/519), citable: False -* https://github.com/CiscoCXSecurity/linikatz (https://github.com/timb-machine/linux-malware/issues/156), citable: False -* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False T1555: Credentials from Password Stores @@ -66,18 +66,18 @@ T1552: Unsecured Credentials T1552.004: Private Keys -* https://github.com/SecurityFail/kompromat (https://github.com/timb-machine/linux-malware/issues/813), citable: False * https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (https://github.com/timb-machine/linux-malware/issues/800), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://sysdig.com/blog/ssh-snake/ (https://github.com/timb-machine/linux-malware/issues/801), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (https://github.com/timb-machine/linux-malware/issues/524), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://github.com/NetSPI/sshkey-grab (https://github.com/timb-machine/linux-malware/issues/619), citable: False * https://github.com/MegaManSec/SSH-Snake (https://github.com/timb-machine/linux-malware/issues/791), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://github.com/SecurityFail/kompromat (https://github.com/timb-machine/linux-malware/issues/813), citable: False * https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True +* https://github.com/NetSPI/sshkey-grab (https://github.com/timb-machine/linux-malware/issues/619), citable: False +* https://sysdig.com/blog/ssh-snake/ (https://github.com/timb-machine/linux-malware/issues/801), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (https://github.com/timb-machine/linux-malware/issues/524), citable: True (TACTICS OR TECHNIQUES WRONG) T1110.003: Password Spraying -* https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (https://github.com/timb-machine/linux-malware/issues/8), citable: True * https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (https://github.com/timb-machine/linux-malware/issues/716), citable: True +* https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (https://github.com/timb-machine/linux-malware/issues/8), citable: True * https://cujo.com/threat-alert-krane-malware/ (https://github.com/timb-machine/linux-malware/issues/391), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True (TACTICS OR TECHNIQUES WRONG) * https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True (TACTICS OR TECHNIQUES WRONG) @@ -97,10 +97,10 @@ T1212: Exploitation for Credential Access T1110: Brute Force * https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (https://github.com/timb-machine/linux-malware/issues/700), citable: True -* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True (TACTICS OR TECHNIQUES WRONG) * https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (https://github.com/timb-machine/linux-malware/issues/653), citable: False -* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True (TACTICS OR TECHNIQUES WRONG) * https://asec.ahnlab.com/en/54647/ (https://github.com/timb-machine/linux-malware/issues/707), citable: True +* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True (TACTICS OR TECHNIQUES WRONG) T1003.008: /etc/passwd and /etc/shadow @@ -121,24 +121,24 @@ missing from ATT&CK T1053.003: Cron +* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (https://github.com/timb-machine/linux-malware/issues/447), citable: True (TACTICS OR TECHNIQUES WRONG) * https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ (https://github.com/timb-machine/linux-malware/issues/662), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/ (https://github.com/timb-machine/linux-malware/issues/816), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True +* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) * https://sansec.io/research/cronrat (https://github.com/timb-machine/linux-malware/issues/399), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True * https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/ (https://github.com/timb-machine/linux-malware/issues/816), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True (TACTICS OR TECHNIQUES WRONG) * https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (https://github.com/timb-machine/linux-malware/issues/618), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True * https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (https://github.com/timb-machine/linux-malware/issues/321), citable: True -* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (https://github.com/timb-machine/linux-malware/issues/447), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True T1106: Native API * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (https://github.com/timb-machine/linux-malware/issues/658), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True (TACTICS OR TECHNIQUES WRONG) T1610: Deploy Container @@ -153,8 +153,8 @@ T1053.001: At (Linux) T1059: Command and Scripting Interpreter * https://redcanary.com/blog/process-streams/ (https://github.com/timb-machine/linux-malware/issues/494), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True * https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True +* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True * https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True T1204: User Execution @@ -168,11 +168,11 @@ T1072: Software Deployment Tools T1059.004: Unix Shell -* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True +* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True * https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (https://github.com/timb-machine/linux-malware/issues/790), citable: True -* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True * https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True -* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True +* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True (TACTICS OR TECHNIQUES WRONG) T1559: Inter-Process Communication @@ -180,83 +180,83 @@ T1559: Inter-Process Communication T1569: System Services -* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True * https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True +* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True T1569.002: Service Execution missing from ATT&CK -* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True * https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True +* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True ## Impact T1486: Data Encrypted for Impact +* https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html (https://github.com/timb-machine/linux-malware/issues/102), citable: True * https://blog.polyswarm.io/darkangels-linux-ransomware (https://github.com/timb-machine/linux-malware/issues/666), citable: True -* https://blog.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (https://github.com/timb-machine/linux-malware/issues/496), citable: True * https://cybersec84.wordpress.com/2023/08/15/monti-ransomware-operators-resurface-with-new-linux-variant-improved-evasion-tactics/ (https://github.com/timb-machine/linux-malware/issues/753), citable: True -* https://www.virustotal.com/gui/file/bf3ebc294870a6e743f021f4e18be75810149a1004b8d7c8a1e91f35562db3f5/detection (https://github.com/timb-machine/linux-malware/issues/644), citable: True -* https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/ (https://github.com/timb-machine/linux-malware/issues/656), citable: True -* https://github.com/niveb/NoCrypt (https://github.com/timb-machine/linux-malware/issues/673), citable: False -* https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html (https://github.com/timb-machine/linux-malware/issues/102), citable: True -* https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (https://github.com/timb-machine/linux-malware/issues/758), citable: True -* https://www.signalblur.io/through-the-looking-glass (https://github.com/timb-machine/linux-malware/issues/756), citable: True * https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf (https://github.com/timb-machine/linux-malware/issues/101), citable: False +* https://blog.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (https://github.com/timb-machine/linux-malware/issues/496), citable: True +* https://twitter.com/Unit42_Intel/status/1653760405792014336 (https://github.com/timb-machine/linux-malware/issues/695), citable: True * https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html (https://github.com/timb-machine/linux-malware/issues/442), citable: True +* https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/ (https://github.com/timb-machine/linux-malware/issues/638), citable: False * https://twitter.com/malwrhunterteam/status/1422972905541996546 (https://github.com/timb-machine/linux-malware/issues/374), citable: True -* https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (https://github.com/timb-machine/linux-malware/issues/321), citable: True +* https://www.signalblur.io/through-the-looking-glass (https://github.com/timb-machine/linux-malware/issues/756), citable: True * https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html (https://github.com/timb-machine/linux-malware/issues/546), citable: True -* https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/ (https://github.com/timb-machine/linux-malware/issues/638), citable: False -* https://twitter.com/Unit42_Intel/status/1653760405792014336 (https://github.com/timb-machine/linux-malware/issues/695), citable: True +* https://github.com/niveb/NoCrypt (https://github.com/timb-machine/linux-malware/issues/673), citable: False * https://github.com/h3xduck/Umbra (https://github.com/timb-machine/linux-malware/issues/668), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://www.virustotal.com/gui/file/bf3ebc294870a6e743f021f4e18be75810149a1004b8d7c8a1e91f35562db3f5/detection (https://github.com/timb-machine/linux-malware/issues/644), citable: True +* https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/ (https://github.com/timb-machine/linux-malware/issues/656), citable: True +* https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (https://github.com/timb-machine/linux-malware/issues/758), citable: True * https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group (https://github.com/timb-machine/linux-malware/issues/544), citable: True +* https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (https://github.com/timb-machine/linux-malware/issues/321), citable: True T1499: Endpoint Denial of Service -* https://asec.ahnlab.com/en/50316/ (https://github.com/timb-machine/linux-malware/issues/621), citable: True -* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True * https://spectrum.ieee.org/amp/mirai-botnet-2659993631 (https://github.com/timb-machine/linux-malware/issues/676), citable: False +* https://asec.ahnlab.com/en/50316/ (https://github.com/timb-machine/linux-malware/issues/621), citable: True * https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True * https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (https://github.com/timb-machine/linux-malware/issues/623), citable: True +* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True * https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True T1496: Resource Hijacking +* https://ultimacybr.co.uk/2023-10-04-Sysrv/ (https://github.com/timb-machine/linux-malware/issues/767), citable: True +* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True * https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (https://github.com/timb-machine/linux-malware/issues/770), citable: True * https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (https://github.com/timb-machine/linux-malware/issues/723), citable: True -* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False -* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True -* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True -* https://ultimacybr.co.uk/2023-10-04-Sysrv/ (https://github.com/timb-machine/linux-malware/issues/767), citable: True * https://asec.ahnlab.com/en/54647/ (https://github.com/timb-machine/linux-malware/issues/707), citable: True +* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True +* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True * https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True +* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False * https://github.com/tstromberg/malware-menagerie (https://github.com/timb-machine/linux-malware/issues/795), citable: False -* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True T1565.002: Transmitted Data Manipulation -* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True * https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True +* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True T1485: Data Destruction * https://cert.gov.ua/article/4501891 (https://github.com/timb-machine/linux-malware/issues/651), citable: True +* https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc (https://github.com/timb-machine/linux-malware/issues/786), citable: True * https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (https://github.com/timb-machine/linux-malware/issues/790), citable: True * https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True -* https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc (https://github.com/timb-machine/linux-malware/issues/786), citable: True T1498: Network Denial of Service +* https://spectrum.ieee.org/amp/mirai-botnet-2659993631 (https://github.com/timb-machine/linux-malware/issues/676), citable: False * https://blog.xlab.qianxin.com/mirai-tbot-en/ (https://github.com/timb-machine/linux-malware/issues/788), citable: True -* https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 (https://github.com/timb-machine/linux-malware/issues/702), citable: True +* https://bazaar.abuse.ch/browse/signature/XorDDoS/ (https://github.com/timb-machine/linux-malware/issues/129), citable: False +* https://asec.ahnlab.com/en/54647/ (https://github.com/timb-machine/linux-malware/issues/707), citable: True * https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True -* https://spectrum.ieee.org/amp/mirai-botnet-2659993631 (https://github.com/timb-machine/linux-malware/issues/676), citable: False * https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True -* https://asec.ahnlab.com/en/54647/ (https://github.com/timb-machine/linux-malware/issues/707), citable: True -* https://bazaar.abuse.ch/browse/signature/XorDDoS/ (https://github.com/timb-machine/linux-malware/issues/129), citable: False * https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True +* https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 (https://github.com/timb-machine/linux-malware/issues/702), citable: True T1490: Inhibit System Recovery @@ -264,8 +264,8 @@ T1490: Inhibit System Recovery T1561.001: Disk Content Wipe -* https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True * https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc (https://github.com/timb-machine/linux-malware/issues/786), citable: True +* https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True T1529: System Shutdown/Reboot @@ -275,43 +275,43 @@ T1529: System Shutdown/Reboot T1205.002: Socket Filters -* https://github.com/h3xduck/TripleCross (https://github.com/timb-machine/linux-malware/issues/465), citable: False +* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False +* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False +* https://github.com/aojea/netkat (https://github.com/timb-machine/linux-malware/issues/464), citable: False (TACTICS OR TECHNIQUES WRONG) * https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (https://github.com/timb-machine/linux-malware/issues/397), citable: True -* https://twitter.com/timb_machine/status/1523253031382687744 (https://github.com/timb-machine/linux-malware/issues/421), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://packetstormsecurity.com/files/22121/cd00r.c.html (https://github.com/timb-machine/linux-malware/issues/597), citable: False -* https://github.com/vbpf/ebpf-samples (https://github.com/timb-machine/linux-malware/issues/215), citable: False -* https://github.com/citronneur/pamspy (https://github.com/timb-machine/linux-malware/issues/466), citable: False * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (https://github.com/timb-machine/linux-malware/issues/658), citable: True +* https://twitter.com/inversecos/status/1527188391347068928 (https://github.com/timb-machine/linux-malware/issues/435), citable: False * https://github.com/snapattack/bpfdoor-scanner (https://github.com/timb-machine/linux-malware/issues/437), citable: False -* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True +* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False +* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True +* https://pastebin.com/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/802), citable: False (TACTICS OR TECHNIQUES WRONG) * https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (https://github.com/timb-machine/linux-malware/issues/422), citable: False -* https://vms.drweb.com/virus/?i=21004786 (https://github.com/timb-machine/linux-malware/issues/433), citable: True -* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True +* https://twitter.com/timb_machine/status/1523253031382687744 (https://github.com/timb-machine/linux-malware/issues/421), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True +* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False * https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (https://github.com/timb-machine/linux-malware/issues/725), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True +* https://vms.drweb.com/virus/?i=21004786 (https://github.com/timb-machine/linux-malware/issues/433), citable: True +* https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False +* https://github.com/h3xduck/TripleCross (https://github.com/timb-machine/linux-malware/issues/465), citable: False * https://github.com/wunderwuzzi23/Offensive-BPF (https://github.com/timb-machine/linux-malware/issues/469), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://github.com/Gui774ume/ebpfkit (https://github.com/timb-machine/linux-malware/issues/151), citable: False +* https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (https://github.com/timb-machine/linux-malware/issues/420), citable: False +* https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar (https://github.com/timb-machine/linux-malware/issues/419), citable: False (TACTICS OR TECHNIQUES WRONG) * https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False -* https://twitter.com/inversecos/status/1527188391347068928 (https://github.com/timb-machine/linux-malware/issues/435), citable: False -* https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False -* https://pastebin.com/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/802), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True +* https://packetstormsecurity.com/files/22121/cd00r.c.html (https://github.com/timb-machine/linux-malware/issues/597), citable: False +* https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (https://github.com/timb-machine/linux-malware/issues/405), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True +* https://github.com/vbpf/ebpf-samples (https://github.com/timb-machine/linux-malware/issues/215), citable: False +* https://github.com/Gui774ume/ebpfkit (https://github.com/timb-machine/linux-malware/issues/151), citable: False * https://github.com/noptrix/fbkit (https://github.com/timb-machine/linux-malware/issues/684), citable: False -* https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar (https://github.com/timb-machine/linux-malware/issues/419), citable: False (TACTICS OR TECHNIQUES WRONG) * https://packetstormsecurity.com/files/23336/Slx2k001.txt.html (https://github.com/timb-machine/linux-malware/issues/152), citable: False -* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True -* https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (https://github.com/timb-machine/linux-malware/issues/405), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False -* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True -* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True -* https://github.com/aojea/netkat (https://github.com/timb-machine/linux-malware/issues/464), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True -* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True -* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False -* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False -* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (https://github.com/timb-machine/linux-malware/issues/420), citable: False -* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False +* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True * https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (https://github.com/timb-machine/linux-malware/issues/570), citable: False +* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True +* https://github.com/citronneur/pamspy (https://github.com/timb-machine/linux-malware/issues/466), citable: False +* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True +* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True T1037: Boot or Logon Initialization Scripts @@ -319,19 +319,19 @@ T1037: Boot or Logon Initialization Scripts T1556.003: Pluggable Authentication Modules -* https://github.com/citronneur/pamspy (https://github.com/timb-machine/linux-malware/issues/466), citable: False +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True +* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False * https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True +* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True * https://github.com/zephrax/linux-pam-backdoor (https://github.com/timb-machine/linux-malware/issues/181), citable: False * https://rosesecurityresearch.com/crafting-malicious-pluggable-authentication-modules-for-persistence-privilege-escalation-and-lateral-movement (https://github.com/timb-machine/linux-malware/issues/772), citable: False -* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True * https://github.com/Achiefs/fim (https://github.com/timb-machine/linux-malware/issues/779), citable: False -* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False -* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True +* https://github.com/citronneur/pamspy (https://github.com/timb-machine/linux-malware/issues/466), citable: False T1543: Create or Modify System Process -* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True * https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True +* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True T1133: External Remote Services @@ -347,18 +347,18 @@ T1542.003: Bootkit T1053.003: Cron +* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True +* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (https://github.com/timb-machine/linux-malware/issues/447), citable: True * https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ (https://github.com/timb-machine/linux-malware/issues/662), citable: False +* https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/ (https://github.com/timb-machine/linux-malware/issues/816), citable: False +* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True +* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) * https://sansec.io/research/cronrat (https://github.com/timb-machine/linux-malware/issues/399), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True * https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/ (https://github.com/timb-machine/linux-malware/issues/816), citable: False -* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True * https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (https://github.com/timb-machine/linux-malware/issues/618), citable: True -* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True * https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (https://github.com/timb-machine/linux-malware/issues/321), citable: True -* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (https://github.com/timb-machine/linux-malware/issues/447), citable: True * https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True T1098.003: Additional Cloud Roles @@ -368,69 +368,69 @@ missing from ATT&CK T1205: Traffic Signaling -* https://twitter.com/timb_machine/status/1523253031382687744 (https://github.com/timb-machine/linux-malware/issues/421), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False +* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (https://github.com/timb-machine/linux-malware/issues/658), citable: True -* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True +* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False +* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True +* https://pastebin.com/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/802), citable: False (TACTICS OR TECHNIQUES WRONG) * https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (https://github.com/timb-machine/linux-malware/issues/422), citable: False -* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True +* https://twitter.com/timb_machine/status/1523253031382687744 (https://github.com/timb-machine/linux-malware/issues/421), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True +* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False +* https://github.com/R3tr074/brokepkg (https://github.com/timb-machine/linux-malware/issues/777), citable: False * https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (https://github.com/timb-machine/linux-malware/issues/725), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False +* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True * https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False -* https://pastebin.com/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/802), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://github.com/R3tr074/brokepkg (https://github.com/timb-machine/linux-malware/issues/777), citable: False -* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True * https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True -* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True -* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False -* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True -* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True -* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True -* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True -* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False -* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (https://github.com/timb-machine/linux-malware/issues/420), citable: False -* https://www.group-ib.com/blog/krasue-rat/ (https://github.com/timb-machine/linux-malware/issues/797), citable: True -* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False -* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False +* https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False +* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True +* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True * https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (https://github.com/timb-machine/linux-malware/issues/570), citable: False +* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True +* https://www.group-ib.com/blog/krasue-rat/ (https://github.com/timb-machine/linux-malware/issues/797), citable: True +* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True +* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True T1525: Implant Internal Image missing from ATT&CK -* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False * https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (https://github.com/timb-machine/linux-malware/issues/692), citable: True * https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True +* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False T1505.003: Web Shell -* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ (https://github.com/timb-machine/linux-malware/issues/373), citable: True +* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG) T1078.001: Default Accounts -* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True (TACTICS OR TECHNIQUES WRONG) * https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (https://github.com/timb-machine/linux-malware/issues/604), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True (TACTICS OR TECHNIQUES WRONG) T1574.006: Dynamic Linker Hijacking -* https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (https://github.com/timb-machine/linux-malware/issues/397), citable: True -* https://github.com/darrenmartyn/malware_samples (https://github.com/timb-machine/linux-malware/issues/530), citable: False -* https://github.com/NixOS/patchelf (https://github.com/timb-machine/linux-malware/issues/443), citable: False * https://github.com/dsnezhkov/zombieant (https://github.com/timb-machine/linux-malware/issues/793), citable: False -* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (https://github.com/timb-machine/linux-malware/issues/770), citable: True -* https://github.com/gianlucaborello/libprocesshider (https://github.com/timb-machine/linux-malware/issues/776), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://sansec.io/research/nginrat (https://github.com/timb-machine/linux-malware/issues/94), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://github.com/darrenmartyn/malware_samples (https://github.com/timb-machine/linux-malware/issues/530), citable: False +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True +* https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (https://github.com/timb-machine/linux-malware/issues/397), citable: True +* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False * https://github.com/namazso/linux_injector (https://github.com/timb-machine/linux-malware/issues/599), citable: False +* https://github.com/NixOS/patchelf (https://github.com/timb-machine/linux-malware/issues/443), citable: False * https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True +* https://sansec.io/research/nginrat (https://github.com/timb-machine/linux-malware/issues/94), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True +* https://github.com/gianlucaborello/libprocesshider (https://github.com/timb-machine/linux-malware/issues/776), citable: False (TACTICS OR TECHNIQUES WRONG) * https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True +* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (https://github.com/timb-machine/linux-malware/issues/770), citable: True * https://github.com/mav8557/Father (https://github.com/timb-machine/linux-malware/issues/606), citable: False -* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True -* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True -* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False * https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True +* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True T1053.001: At (Linux) @@ -443,14 +443,14 @@ T1098.004: SSH Authorized Keys T1205.001: Port Knocking -* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False * https://asec.ahnlab.com/en/55785/ (https://github.com/timb-machine/linux-malware/issues/733), citable: True * https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True +* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False T1554: Compromise Client Software Binary -* https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (https://github.com/timb-machine/linux-malware/issues/618), citable: True * https://hckng.org/articles/perljam-elf64-virus.html (https://github.com/timb-machine/linux-malware/issues/735), citable: False +* https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (https://github.com/timb-machine/linux-malware/issues/618), citable: True T1136.003: Cloud Account @@ -464,68 +464,68 @@ T1098: Account Manipulation T1547.006: Kernel Modules and Extensions -* https://github.com/pmorjan/kmod (https://github.com/timb-machine/linux-malware/issues/654), citable: False -* https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html (https://github.com/timb-machine/linux-malware/issues/683), citable: False (TACTICS OR TECHNIQUES WRONG) -* http://www.ouah.org/LKM_HACKING.html (https://github.com/timb-machine/linux-malware/issues/257), citable: False -* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False -* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True -* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (https://github.com/timb-machine/linux-malware/issues/770), citable: True -* https://github.com/jermeyyy/rooty (https://github.com/timb-machine/linux-malware/issues/440), citable: False -* https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 (https://github.com/timb-machine/linux-malware/issues/612), citable: True -* https://github.com/niveb/NoCrypt (https://github.com/timb-machine/linux-malware/issues/673), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False -* https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html (https://github.com/timb-machine/linux-malware/issues/575), citable: False +* https://github.com/reveng007/reveng_rtkit (https://github.com/timb-machine/linux-malware/issues/669), citable: False * https://asec.ahnlab.com/en/55785/ (https://github.com/timb-machine/linux-malware/issues/733), citable: True * https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True +* https://github.com/jermeyyy/rooty (https://github.com/timb-machine/linux-malware/issues/440), citable: False +* https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html (https://github.com/timb-machine/linux-malware/issues/575), citable: False * https://github.com/R3tr074/brokepkg (https://github.com/timb-machine/linux-malware/issues/777), citable: False -* https://github.com/Eterna1/puszek-rootkit (https://github.com/timb-machine/linux-malware/issues/670), citable: False -* https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (https://github.com/timb-machine/linux-malware/issues/705), citable: False +* https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ (https://github.com/timb-machine/linux-malware/issues/750), citable: True +* https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html (https://github.com/timb-machine/linux-malware/issues/683), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True +* https://github.com/pmorjan/kmod (https://github.com/timb-machine/linux-malware/issues/654), citable: False +* https://www.trendmicro.com/en_gb/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html (https://github.com/timb-machine/linux-malware/issues/111), citable: True * https://github.com/noptrix/fbkit (https://github.com/timb-machine/linux-malware/issues/684), citable: False -* https://github.com/reveng007/reveng_rtkit (https://github.com/timb-machine/linux-malware/issues/669), citable: False -* https://github.com/m0nad/Diamorphine (https://github.com/timb-machine/linux-malware/issues/217), citable: False -* https://github.com/h3xduck/Umbra (https://github.com/timb-machine/linux-malware/issues/668), citable: False +* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (https://github.com/timb-machine/linux-malware/issues/770), citable: True +* https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 (https://github.com/timb-machine/linux-malware/issues/612), citable: True +* https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (https://github.com/timb-machine/linux-malware/issues/705), citable: False +* https://github.com/Eterna1/puszek-rootkit (https://github.com/timb-machine/linux-malware/issues/670), citable: False * https://twitter.com/CraigHRowland/status/1593102427276050433 (https://github.com/timb-machine/linux-malware/issues/587), citable: False -* https://github.com/jafarlihi/modreveal (https://github.com/timb-machine/linux-malware/issues/609), citable: False * https://is.muni.cz/el/fi/jaro2011/PV204/um/LinuxRootkits/sys_call_table_complete.htm (https://github.com/timb-machine/linux-malware/issues/254), citable: False -* https://www.trendmicro.com/en_gb/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html (https://github.com/timb-machine/linux-malware/issues/111), citable: True +* https://github.com/niveb/NoCrypt (https://github.com/timb-machine/linux-malware/issues/673), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://github.com/h3xduck/Umbra (https://github.com/timb-machine/linux-malware/issues/668), citable: False +* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False * https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True +* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False * https://www.group-ib.com/blog/krasue-rat/ (https://github.com/timb-machine/linux-malware/issues/797), citable: True -* https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ (https://github.com/timb-machine/linux-malware/issues/750), citable: True -* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True +* https://github.com/jafarlihi/modreveal (https://github.com/timb-machine/linux-malware/issues/609), citable: False +* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True +* http://www.ouah.org/LKM_HACKING.html (https://github.com/timb-machine/linux-malware/issues/257), citable: False +* https://github.com/m0nad/Diamorphine (https://github.com/timb-machine/linux-malware/issues/217), citable: False T1574: Hijack Execution Flow -* https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (https://github.com/timb-machine/linux-malware/issues/499), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True -* https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True * https://github.com/Gui774ume/krie (https://github.com/timb-machine/linux-malware/issues/498), citable: False -* https://github.com/hardenedvault/ved-ebpf (https://github.com/timb-machine/linux-malware/issues/737), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True +* https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (https://github.com/timb-machine/linux-malware/issues/499), citable: False (TACTICS OR TECHNIQUES WRONG) * https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (https://github.com/timb-machine/linux-malware/issues/719), citable: False +* https://github.com/hardenedvault/ved-ebpf (https://github.com/timb-machine/linux-malware/issues/737), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True T1078: Valid Accounts +* https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (https://github.com/timb-machine/linux-malware/issues/800), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (https://github.com/timb-machine/linux-malware/issues/653), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://github.com/MegaManSec/SSH-Snake (https://github.com/timb-machine/linux-malware/issues/791), citable: False (TACTICS OR TECHNIQUES WRONG) * https://blog.xlab.qianxin.com/mirai-tbot-en/ (https://github.com/timb-machine/linux-malware/issues/788), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (https://github.com/timb-machine/linux-malware/issues/678), citable: True -* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://bazaar.abuse.ch/browse/signature/XorDDoS/ (https://github.com/timb-machine/linux-malware/issues/129), citable: False (TACTICS OR TECHNIQUES WRONG) * https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (https://github.com/timb-machine/linux-malware/issues/800), citable: False (TACTICS OR TECHNIQUES WRONG) * https://sysdig.com/blog/ssh-snake/ (https://github.com/timb-machine/linux-malware/issues/801), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (https://github.com/timb-machine/linux-malware/issues/653), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://bazaar.abuse.ch/browse/signature/XorDDoS/ (https://github.com/timb-machine/linux-malware/issues/129), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://github.com/MegaManSec/SSH-Snake (https://github.com/timb-machine/linux-malware/issues/791), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True (TACTICS OR TECHNIQUES WRONG) T1546.004: Unix Shell Configuration Modification * https://github.com/darrenmartyn/malware_samples (https://github.com/timb-machine/linux-malware/issues/530), citable: False +* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True * https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ (https://github.com/timb-machine/linux-malware/issues/655), citable: True * https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (https://github.com/timb-machine/linux-malware/issues/618), citable: True -* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True T1100: Web Shell -* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) * https://bazaar.abuse.ch/browse/signature/XorDDoS/ (https://github.com/timb-machine/linux-malware/issues/129), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) T1505: Server Software Component @@ -533,21 +533,21 @@ T1505: Server Software Component T1037.004: RC Scripts +* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True * https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (https://github.com/timb-machine/linux-malware/issues/8), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True -* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True * https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (https://github.com/timb-machine/linux-malware/issues/814), citable: True +* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True * https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.mandiant.com/resources/unc3524-eye-spy-email (https://github.com/timb-machine/linux-malware/issues/414), citable: True -* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True +* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True +* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG) T1543.002: Systemd Service +* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True +* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True * https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True * https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (https://github.com/timb-machine/linux-malware/issues/618), citable: True -* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True -* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True T1136: Create Account @@ -577,30 +577,30 @@ T1037: Boot or Logon Initialization Scripts T1543: Create or Modify System Process -* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True +* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True (TACTICS OR TECHNIQUES WRONG) T1053.003: Cron +* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (https://github.com/timb-machine/linux-malware/issues/447), citable: True (TACTICS OR TECHNIQUES WRONG) * https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ (https://github.com/timb-machine/linux-malware/issues/662), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/ (https://github.com/timb-machine/linux-malware/issues/816), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True +* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) * https://sansec.io/research/cronrat (https://github.com/timb-machine/linux-malware/issues/399), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True (TACTICS OR TECHNIQUES WRONG) * https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/ (https://github.com/timb-machine/linux-malware/issues/816), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True (TACTICS OR TECHNIQUES WRONG) * https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (https://github.com/timb-machine/linux-malware/issues/618), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True * https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (https://github.com/timb-machine/linux-malware/issues/321), citable: True -* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (https://github.com/timb-machine/linux-malware/issues/447), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True (TACTICS OR TECHNIQUES WRONG) T1055: Process Injection -* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True * https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True * https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (https://github.com/timb-machine/linux-malware/issues/461), citable: False (TACTICS OR TECHNIQUES WRONG) * https://grugq.github.io/docs/ul_exec.txt (https://github.com/timb-machine/linux-malware/issues/463), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True * https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (https://github.com/timb-machine/linux-malware/issues/462), citable: False (TACTICS OR TECHNIQUES WRONG) T1611: Escape to Host @@ -609,28 +609,28 @@ T1611: Escape to Host T1078.001: Default Accounts -* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True (TACTICS OR TECHNIQUES WRONG) * https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (https://github.com/timb-machine/linux-malware/issues/604), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True (TACTICS OR TECHNIQUES WRONG) T1574.006: Dynamic Linker Hijacking -* https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (https://github.com/timb-machine/linux-malware/issues/397), citable: True -* https://github.com/darrenmartyn/malware_samples (https://github.com/timb-machine/linux-malware/issues/530), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://github.com/NixOS/patchelf (https://github.com/timb-machine/linux-malware/issues/443), citable: False (TACTICS OR TECHNIQUES WRONG) * https://github.com/dsnezhkov/zombieant (https://github.com/timb-machine/linux-malware/issues/793), citable: False -* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (https://github.com/timb-machine/linux-malware/issues/770), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://github.com/gianlucaborello/libprocesshider (https://github.com/timb-machine/linux-malware/issues/776), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://sansec.io/research/nginrat (https://github.com/timb-machine/linux-malware/issues/94), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://github.com/darrenmartyn/malware_samples (https://github.com/timb-machine/linux-malware/issues/530), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (https://github.com/timb-machine/linux-malware/issues/397), citable: True +* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False (TACTICS OR TECHNIQUES WRONG) * https://github.com/namazso/linux_injector (https://github.com/timb-machine/linux-malware/issues/599), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://github.com/NixOS/patchelf (https://github.com/timb-machine/linux-malware/issues/443), citable: False (TACTICS OR TECHNIQUES WRONG) * https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://sansec.io/research/nginrat (https://github.com/timb-machine/linux-malware/issues/94), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://github.com/gianlucaborello/libprocesshider (https://github.com/timb-machine/linux-malware/issues/776), citable: False (TACTICS OR TECHNIQUES WRONG) * https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True +* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (https://github.com/timb-machine/linux-malware/issues/770), citable: True (TACTICS OR TECHNIQUES WRONG) * https://github.com/mav8557/Father (https://github.com/timb-machine/linux-malware/issues/606), citable: False -* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True -* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False (TACTICS OR TECHNIQUES WRONG) * https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True T1053.001: At (Linux) @@ -638,17 +638,17 @@ T1053.001: At (Linux) T1548: Abuse Elevation Control Mechanism +* https://github.com/Gui774ume/krie (https://github.com/timb-machine/linux-malware/issues/498), citable: False * https://github.com/Frissi0n/GTFONow (https://github.com/timb-machine/linux-malware/issues/771), citable: False * https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False -* https://github.com/Gui774ume/krie (https://github.com/timb-machine/linux-malware/issues/498), citable: False * https://twitter.com/ankit_anubhav/status/1490574137370103808 (https://github.com/timb-machine/linux-malware/issues/483), citable: True T1548.001: Setuid and Setgid -* https://github.com/noptrix/fbkit (https://github.com/timb-machine/linux-malware/issues/684), citable: False -* https://github.com/hardenedvault/ved-ebpf (https://github.com/timb-machine/linux-malware/issues/737), citable: False * https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://github.com/noptrix/fbkit (https://github.com/timb-machine/linux-malware/issues/684), citable: False +* https://github.com/hardenedvault/ved-ebpf (https://github.com/timb-machine/linux-malware/issues/737), citable: False T1134.004: Parent PID Spoofing @@ -660,55 +660,55 @@ missing from ATT&CK T1547.006: Kernel Modules and Extensions -* https://github.com/pmorjan/kmod (https://github.com/timb-machine/linux-malware/issues/654), citable: False -* https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html (https://github.com/timb-machine/linux-malware/issues/683), citable: False (TACTICS OR TECHNIQUES WRONG) -* http://www.ouah.org/LKM_HACKING.html (https://github.com/timb-machine/linux-malware/issues/257), citable: False -* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (https://github.com/timb-machine/linux-malware/issues/770), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://github.com/jermeyyy/rooty (https://github.com/timb-machine/linux-malware/issues/440), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 (https://github.com/timb-machine/linux-malware/issues/612), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://github.com/niveb/NoCrypt (https://github.com/timb-machine/linux-malware/issues/673), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False -* https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html (https://github.com/timb-machine/linux-malware/issues/575), citable: False +* https://github.com/reveng007/reveng_rtkit (https://github.com/timb-machine/linux-malware/issues/669), citable: False * https://asec.ahnlab.com/en/55785/ (https://github.com/timb-machine/linux-malware/issues/733), citable: True * https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://github.com/jermeyyy/rooty (https://github.com/timb-machine/linux-malware/issues/440), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html (https://github.com/timb-machine/linux-malware/issues/575), citable: False * https://github.com/R3tr074/brokepkg (https://github.com/timb-machine/linux-malware/issues/777), citable: False -* https://github.com/Eterna1/puszek-rootkit (https://github.com/timb-machine/linux-malware/issues/670), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (https://github.com/timb-machine/linux-malware/issues/705), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ (https://github.com/timb-machine/linux-malware/issues/750), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html (https://github.com/timb-machine/linux-malware/issues/683), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://github.com/pmorjan/kmod (https://github.com/timb-machine/linux-malware/issues/654), citable: False +* https://www.trendmicro.com/en_gb/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html (https://github.com/timb-machine/linux-malware/issues/111), citable: True * https://github.com/noptrix/fbkit (https://github.com/timb-machine/linux-malware/issues/684), citable: False -* https://github.com/reveng007/reveng_rtkit (https://github.com/timb-machine/linux-malware/issues/669), citable: False -* https://github.com/m0nad/Diamorphine (https://github.com/timb-machine/linux-malware/issues/217), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://github.com/h3xduck/Umbra (https://github.com/timb-machine/linux-malware/issues/668), citable: False +* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (https://github.com/timb-machine/linux-malware/issues/770), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 (https://github.com/timb-machine/linux-malware/issues/612), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (https://github.com/timb-machine/linux-malware/issues/705), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://github.com/Eterna1/puszek-rootkit (https://github.com/timb-machine/linux-malware/issues/670), citable: False (TACTICS OR TECHNIQUES WRONG) * https://twitter.com/CraigHRowland/status/1593102427276050433 (https://github.com/timb-machine/linux-malware/issues/587), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://github.com/jafarlihi/modreveal (https://github.com/timb-machine/linux-malware/issues/609), citable: False * https://is.muni.cz/el/fi/jaro2011/PV204/um/LinuxRootkits/sys_call_table_complete.htm (https://github.com/timb-machine/linux-malware/issues/254), citable: False -* https://www.trendmicro.com/en_gb/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html (https://github.com/timb-machine/linux-malware/issues/111), citable: True +* https://github.com/niveb/NoCrypt (https://github.com/timb-machine/linux-malware/issues/673), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://github.com/h3xduck/Umbra (https://github.com/timb-machine/linux-malware/issues/668), citable: False +* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False * https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True +* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False (TACTICS OR TECHNIQUES WRONG) * https://www.group-ib.com/blog/krasue-rat/ (https://github.com/timb-machine/linux-malware/issues/797), citable: True -* https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ (https://github.com/timb-machine/linux-malware/issues/750), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://github.com/jafarlihi/modreveal (https://github.com/timb-machine/linux-malware/issues/609), citable: False +* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True (TACTICS OR TECHNIQUES WRONG) +* http://www.ouah.org/LKM_HACKING.html (https://github.com/timb-machine/linux-malware/issues/257), citable: False +* https://github.com/m0nad/Diamorphine (https://github.com/timb-machine/linux-malware/issues/217), citable: False (TACTICS OR TECHNIQUES WRONG) T1574: Hijack Execution Flow -* https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (https://github.com/timb-machine/linux-malware/issues/499), citable: False -* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True -* https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True * https://github.com/Gui774ume/krie (https://github.com/timb-machine/linux-malware/issues/498), citable: False -* https://github.com/hardenedvault/ved-ebpf (https://github.com/timb-machine/linux-malware/issues/737), citable: False +* https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True +* https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (https://github.com/timb-machine/linux-malware/issues/499), citable: False * https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (https://github.com/timb-machine/linux-malware/issues/719), citable: False +* https://github.com/hardenedvault/ved-ebpf (https://github.com/timb-machine/linux-malware/issues/737), citable: False +* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True T1078: Valid Accounts +* https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (https://github.com/timb-machine/linux-malware/issues/800), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (https://github.com/timb-machine/linux-malware/issues/653), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://github.com/MegaManSec/SSH-Snake (https://github.com/timb-machine/linux-malware/issues/791), citable: False (TACTICS OR TECHNIQUES WRONG) * https://blog.xlab.qianxin.com/mirai-tbot-en/ (https://github.com/timb-machine/linux-malware/issues/788), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (https://github.com/timb-machine/linux-malware/issues/678), citable: True -* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://bazaar.abuse.ch/browse/signature/XorDDoS/ (https://github.com/timb-machine/linux-malware/issues/129), citable: False (TACTICS OR TECHNIQUES WRONG) * https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (https://github.com/timb-machine/linux-malware/issues/800), citable: False (TACTICS OR TECHNIQUES WRONG) * https://sysdig.com/blog/ssh-snake/ (https://github.com/timb-machine/linux-malware/issues/801), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (https://github.com/timb-machine/linux-malware/issues/653), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://bazaar.abuse.ch/browse/signature/XorDDoS/ (https://github.com/timb-machine/linux-malware/issues/129), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://github.com/MegaManSec/SSH-Snake (https://github.com/timb-machine/linux-malware/issues/791), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True (TACTICS OR TECHNIQUES WRONG) T1055.012: Process Hollowing @@ -720,46 +720,46 @@ missing from ATT&CK T1068: Exploitation for Privilege Escalation -* https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (https://github.com/timb-machine/linux-malware/issues/499), citable: False * https://github.com/Gui774ume/krie (https://github.com/timb-machine/linux-malware/issues/498), citable: False +* https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (https://github.com/timb-machine/linux-malware/issues/499), citable: False * https://github.com/hardenedvault/ved-ebpf (https://github.com/timb-machine/linux-malware/issues/737), citable: False T1546.004: Unix Shell Configuration Modification * https://github.com/darrenmartyn/malware_samples (https://github.com/timb-machine/linux-malware/issues/530), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ (https://github.com/timb-machine/linux-malware/issues/655), citable: True * https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (https://github.com/timb-machine/linux-malware/issues/618), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True T1100: Web Shell -* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) * https://bazaar.abuse.ch/browse/signature/XorDDoS/ (https://github.com/timb-machine/linux-malware/issues/129), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) T1055.009: Proc Memory -* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True * https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True * https://github.com/NetSPI/sshkey-grab (https://github.com/timb-machine/linux-malware/issues/619), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True T1037.004: RC Scripts +* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True * https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (https://github.com/timb-machine/linux-malware/issues/8), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True -* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (https://github.com/timb-machine/linux-malware/issues/814), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True * https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.mandiant.com/resources/unc3524-eye-spy-email (https://github.com/timb-machine/linux-malware/issues/414), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True +* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG) T1543.002: Systemd Service +* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True * https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True (TACTICS OR TECHNIQUES WRONG) * https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (https://github.com/timb-machine/linux-malware/issues/618), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True -* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True (TACTICS OR TECHNIQUES WRONG) T1574.002: DLL Side-Loading @@ -787,25 +787,25 @@ T1021.005: VNC T1021.004: SSH -* https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (https://github.com/timb-machine/linux-malware/issues/8), citable: True * https://rushter.com/blog/public-ssh-keys/ (https://github.com/timb-machine/linux-malware/issues/754), citable: False -* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False (TACTICS OR TECHNIQUES WRONG) * https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (https://github.com/timb-machine/linux-malware/issues/800), citable: False -* https://sysdig.com/blog/ssh-snake/ (https://github.com/timb-machine/linux-malware/issues/801), citable: True -* https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (https://github.com/timb-machine/linux-malware/issues/524), citable: True -* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://github.com/MegaManSec/SSH-Snake (https://github.com/timb-machine/linux-malware/issues/791), citable: False +* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True +* https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (https://github.com/timb-machine/linux-malware/issues/8), citable: True * https://www.mandiant.com/resources/unc3524-eye-spy-email (https://github.com/timb-machine/linux-malware/issues/414), citable: True * https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True +* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://sysdig.com/blog/ssh-snake/ (https://github.com/timb-machine/linux-malware/issues/801), citable: True * https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True +* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False (TACTICS OR TECHNIQUES WRONG) * https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True -* https://github.com/MegaManSec/SSH-Snake (https://github.com/timb-machine/linux-malware/issues/791), citable: False -* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True +* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True +* https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (https://github.com/timb-machine/linux-malware/issues/524), citable: True T1563.001: SSH Hijacking -* https://github.com/aviat/passe-partout (https://github.com/timb-machine/linux-malware/issues/704), citable: False (TACTICS OR TECHNIQUES WRONG) * https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://github.com/aviat/passe-partout (https://github.com/timb-machine/linux-malware/issues/704), citable: False (TACTICS OR TECHNIQUES WRONG) T1021.002: SMB/Windows Admin Shares @@ -827,43 +827,43 @@ T1072: Software Deployment Tools T1205.002: Socket Filters -* https://github.com/h3xduck/TripleCross (https://github.com/timb-machine/linux-malware/issues/465), citable: False +* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True +* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False +* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False +* https://github.com/aojea/netkat (https://github.com/timb-machine/linux-malware/issues/464), citable: False (TACTICS OR TECHNIQUES WRONG) * https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (https://github.com/timb-machine/linux-malware/issues/397), citable: True -* https://twitter.com/timb_machine/status/1523253031382687744 (https://github.com/timb-machine/linux-malware/issues/421), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://packetstormsecurity.com/files/22121/cd00r.c.html (https://github.com/timb-machine/linux-malware/issues/597), citable: False -* https://github.com/vbpf/ebpf-samples (https://github.com/timb-machine/linux-malware/issues/215), citable: False -* https://github.com/citronneur/pamspy (https://github.com/timb-machine/linux-malware/issues/466), citable: False * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (https://github.com/timb-machine/linux-malware/issues/658), citable: True +* https://twitter.com/inversecos/status/1527188391347068928 (https://github.com/timb-machine/linux-malware/issues/435), citable: False * https://github.com/snapattack/bpfdoor-scanner (https://github.com/timb-machine/linux-malware/issues/437), citable: False -* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False +* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True +* https://pastebin.com/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/802), citable: False * https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (https://github.com/timb-machine/linux-malware/issues/422), citable: False -* https://vms.drweb.com/virus/?i=21004786 (https://github.com/timb-machine/linux-malware/issues/433), citable: True -* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True +* https://twitter.com/timb_machine/status/1523253031382687744 (https://github.com/timb-machine/linux-malware/issues/421), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True +* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False * https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (https://github.com/timb-machine/linux-malware/issues/725), citable: True +* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True +* https://vms.drweb.com/virus/?i=21004786 (https://github.com/timb-machine/linux-malware/issues/433), citable: True +* https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False +* https://github.com/h3xduck/TripleCross (https://github.com/timb-machine/linux-malware/issues/465), citable: False * https://github.com/wunderwuzzi23/Offensive-BPF (https://github.com/timb-machine/linux-malware/issues/469), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://github.com/Gui774ume/ebpfkit (https://github.com/timb-machine/linux-malware/issues/151), citable: False +* https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (https://github.com/timb-machine/linux-malware/issues/420), citable: False +* https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar (https://github.com/timb-machine/linux-malware/issues/419), citable: False (TACTICS OR TECHNIQUES WRONG) * https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False -* https://twitter.com/inversecos/status/1527188391347068928 (https://github.com/timb-machine/linux-malware/issues/435), citable: False -* https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False -* https://pastebin.com/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/802), citable: False -* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True +* https://packetstormsecurity.com/files/22121/cd00r.c.html (https://github.com/timb-machine/linux-malware/issues/597), citable: False +* https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (https://github.com/timb-machine/linux-malware/issues/405), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True +* https://github.com/vbpf/ebpf-samples (https://github.com/timb-machine/linux-malware/issues/215), citable: False +* https://github.com/Gui774ume/ebpfkit (https://github.com/timb-machine/linux-malware/issues/151), citable: False * https://github.com/noptrix/fbkit (https://github.com/timb-machine/linux-malware/issues/684), citable: False -* https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar (https://github.com/timb-machine/linux-malware/issues/419), citable: False (TACTICS OR TECHNIQUES WRONG) * https://packetstormsecurity.com/files/23336/Slx2k001.txt.html (https://github.com/timb-machine/linux-malware/issues/152), citable: False -* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True -* https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (https://github.com/timb-machine/linux-malware/issues/405), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False -* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True -* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True -* https://github.com/aojea/netkat (https://github.com/timb-machine/linux-malware/issues/464), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True -* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True -* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False -* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False -* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True -* https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (https://github.com/timb-machine/linux-malware/issues/420), citable: False -* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False +* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True * https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (https://github.com/timb-machine/linux-malware/issues/570), citable: False +* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True +* https://github.com/citronneur/pamspy (https://github.com/timb-machine/linux-malware/issues/466), citable: False +* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True T1027.009: Embedded Payloads @@ -871,28 +871,28 @@ T1027.009: Embedded Payloads T1556.003: Pluggable Authentication Modules -* https://github.com/citronneur/pamspy (https://github.com/timb-machine/linux-malware/issues/466), citable: False +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True +* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False * https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True +* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True * https://github.com/zephrax/linux-pam-backdoor (https://github.com/timb-machine/linux-malware/issues/181), citable: False * https://rosesecurityresearch.com/crafting-malicious-pluggable-authentication-modules-for-persistence-privilege-escalation-and-lateral-movement (https://github.com/timb-machine/linux-malware/issues/772), citable: False -* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True * https://github.com/Achiefs/fim (https://github.com/timb-machine/linux-malware/issues/779), citable: False -* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False -* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True +* https://github.com/citronneur/pamspy (https://github.com/timb-machine/linux-malware/issues/466), citable: False T1014: Rootkit -* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True -* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False -* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False -* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://github.com/reveng007/reveng_rtkit (https://github.com/timb-machine/linux-malware/issues/669), citable: False * https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True -* https://github.com/Eterna1/puszek-rootkit (https://github.com/timb-machine/linux-malware/issues/670), citable: False -* https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (https://github.com/timb-machine/linux-malware/issues/705), citable: False +* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True * https://github.com/noptrix/fbkit (https://github.com/timb-machine/linux-malware/issues/684), citable: False -* https://github.com/reveng007/reveng_rtkit (https://github.com/timb-machine/linux-malware/issues/669), citable: False +* https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (https://github.com/timb-machine/linux-malware/issues/705), citable: False +* https://github.com/Eterna1/puszek-rootkit (https://github.com/timb-machine/linux-malware/issues/670), citable: False +* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True +* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) * https://github.com/h3xduck/Umbra (https://github.com/timb-machine/linux-malware/issues/668), citable: False -* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True +* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False +* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False T1578: Modify Cloud Compute Infrastructure @@ -907,17 +907,17 @@ T1542.003: Bootkit T1036.005: Match Legitimate Name or Location -* https://asec.ahnlab.com/en/50316/ (https://github.com/timb-machine/linux-malware/issues/621), citable: True * https://github.com/darrenmartyn/malware_samples (https://github.com/timb-machine/linux-malware/issues/530), citable: False -* https://sansec.io/research/cronrat (https://github.com/timb-machine/linux-malware/issues/399), citable: True -* https://asec.ahnlab.com/ko/55070/ (https://github.com/timb-machine/linux-malware/issues/709), citable: True -* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True +* https://asec.ahnlab.com/en/55229/ (https://github.com/timb-machine/linux-malware/issues/722), citable: True +* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True -* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) * https://sansec.io/research/nginrat (https://github.com/timb-machine/linux-malware/issues/94), citable: True * https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True -* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True -* https://asec.ahnlab.com/en/55229/ (https://github.com/timb-machine/linux-malware/issues/722), citable: True +* https://asec.ahnlab.com/ko/55070/ (https://github.com/timb-machine/linux-malware/issues/709), citable: True +* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://sansec.io/research/cronrat (https://github.com/timb-machine/linux-malware/issues/399), citable: True +* https://asec.ahnlab.com/en/50316/ (https://github.com/timb-machine/linux-malware/issues/621), citable: True +* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True T1564: Hide Artifacts @@ -925,12 +925,12 @@ T1564: Hide Artifacts T1070.002: Clear Linux or Mac System Logs -* https://cujo.com/threat-alert-krane-malware/ (https://github.com/timb-machine/linux-malware/issues/391), citable: True +* https://packetstormsecurity.com/files/31345/0x333shadow.tar.gz.html (https://github.com/timb-machine/linux-malware/issues/706), citable: False * https://github.com/Kabot/mig-logcleaner-resurrected (https://github.com/timb-machine/linux-malware/issues/154), citable: False +* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True +* https://cujo.com/threat-alert-krane-malware/ (https://github.com/timb-machine/linux-malware/issues/391), citable: True * https://asec.ahnlab.com/en/54647/ (https://github.com/timb-machine/linux-malware/issues/707), citable: True * https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True -* https://packetstormsecurity.com/files/31345/0x333shadow.tar.gz.html (https://github.com/timb-machine/linux-malware/issues/706), citable: False -* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True T1202: Indirect Command Execution @@ -941,90 +941,90 @@ missing from ATT&CK T1140: Deobfuscate/Decode Files or Information +* https://blogs-jpcert-or-jp.translate.goog/ja/2023/07/dangerouspassword_dev.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp (https://github.com/timb-machine/linux-malware/issues/721), citable: True * https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (https://github.com/timb-machine/linux-malware/issues/770), citable: True * https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (https://github.com/timb-machine/linux-malware/issues/723), citable: True -* https://blogs-jpcert-or-jp.translate.goog/ja/2023/07/dangerouspassword_dev.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp (https://github.com/timb-machine/linux-malware/issues/721), citable: True * https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True T1562: Impair Defenses * https://github.com/dsnezhkov/zombieant (https://github.com/timb-machine/linux-malware/issues/793), citable: False -* https://gist.github.com/timb-machine/602d1a4dace4899babc1b6b5345d24b2 (https://github.com/timb-machine/linux-malware/issues/550), citable: False -* https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html (https://github.com/timb-machine/linux-malware/issues/575), citable: False -* https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/ (https://github.com/timb-machine/linux-malware/issues/739), citable: False * https://github.com/codewhitesec/daphne (https://github.com/timb-machine/linux-malware/issues/740), citable: False * https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True -* https://github.com/codewhitesec/apollon (https://github.com/timb-machine/linux-malware/issues/734), citable: False +* https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html (https://github.com/timb-machine/linux-malware/issues/575), citable: False * https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (https://github.com/timb-machine/linux-malware/issues/692), citable: True +* https://gist.github.com/timb-machine/602d1a4dace4899babc1b6b5345d24b2 (https://github.com/timb-machine/linux-malware/issues/550), citable: False +* https://github.com/codewhitesec/apollon (https://github.com/timb-machine/linux-malware/issues/734), citable: False +* https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/ (https://github.com/timb-machine/linux-malware/issues/739), citable: False T1036: Masquerading +* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False +* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (https://github.com/timb-machine/linux-malware/issues/658), citable: True +* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False +* https://twitter.com/inversecos/status/1527188391347068928 (https://github.com/timb-machine/linux-malware/issues/435), citable: False * https://github.com/snapattack/bpfdoor-scanner (https://github.com/timb-machine/linux-malware/issues/437), citable: False +* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False +* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True * https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (https://github.com/timb-machine/linux-malware/issues/422), citable: False +* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True +* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False +* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True * https://vms.drweb.com/virus/?i=21004786 (https://github.com/timb-machine/linux-malware/issues/433), citable: True +* https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False +* https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True +* https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (https://github.com/timb-machine/linux-malware/issues/724), citable: True +* https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (https://github.com/timb-machine/linux-malware/issues/420), citable: False +* https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False +* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True +* https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (https://github.com/timb-machine/linux-malware/issues/686), citable: True +* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (https://github.com/timb-machine/linux-malware/issues/814), citable: True +* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True +* https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (https://github.com/timb-machine/linux-malware/issues/570), citable: False +* https://twitter.com/xnand_/status/1676336329985077249 (https://github.com/timb-machine/linux-malware/issues/710), citable: True +* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True +* https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (https://github.com/timb-machine/linux-malware/issues/711), citable: False * https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True * https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True -* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (https://github.com/timb-machine/linux-malware/issues/814), citable: True -* https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False -* https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (https://github.com/timb-machine/linux-malware/issues/711), citable: False -* https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (https://github.com/timb-machine/linux-malware/issues/724), citable: True -* https://twitter.com/inversecos/status/1527188391347068928 (https://github.com/timb-machine/linux-malware/issues/435), citable: False * https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False -* https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False -* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True -* https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True -* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True -* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False -* https://twitter.com/xnand_/status/1676336329985077249 (https://github.com/timb-machine/linux-malware/issues/710), citable: True -* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True -* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True * https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True -* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True -* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False -* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False -* https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (https://github.com/timb-machine/linux-malware/issues/420), citable: False -* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False -* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False -* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True -* https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (https://github.com/timb-machine/linux-malware/issues/570), citable: False -* https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (https://github.com/timb-machine/linux-malware/issues/686), citable: True T1055: Process Injection -* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True * https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True * https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (https://github.com/timb-machine/linux-malware/issues/461), citable: False * https://grugq.github.io/docs/ul_exec.txt (https://github.com/timb-machine/linux-malware/issues/463), citable: False +* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True * https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (https://github.com/timb-machine/linux-malware/issues/462), citable: False T1205: Traffic Signaling -* https://twitter.com/timb_machine/status/1523253031382687744 (https://github.com/timb-machine/linux-malware/issues/421), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True +* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False +* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (https://github.com/timb-machine/linux-malware/issues/658), citable: True -* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False +* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True +* https://pastebin.com/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/802), citable: False * https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (https://github.com/timb-machine/linux-malware/issues/422), citable: False -* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True +* https://twitter.com/timb_machine/status/1523253031382687744 (https://github.com/timb-machine/linux-malware/issues/421), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True +* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False +* https://github.com/R3tr074/brokepkg (https://github.com/timb-machine/linux-malware/issues/777), citable: False * https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (https://github.com/timb-machine/linux-malware/issues/725), citable: True -* https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False +* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True * https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False -* https://pastebin.com/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/802), citable: False -* https://github.com/R3tr074/brokepkg (https://github.com/timb-machine/linux-malware/issues/777), citable: False -* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True * https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True -* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True -* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False -* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True -* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True -* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True -* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True -* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False -* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True * https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (https://github.com/timb-machine/linux-malware/issues/420), citable: False -* https://www.group-ib.com/blog/krasue-rat/ (https://github.com/timb-machine/linux-malware/issues/797), citable: True -* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False -* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False +* https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False +* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True +* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True * https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (https://github.com/timb-machine/linux-malware/issues/570), citable: False +* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True +* https://www.group-ib.com/blog/krasue-rat/ (https://github.com/timb-machine/linux-malware/issues/797), citable: True +* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True T1218: System Binary Proxy Execution @@ -1032,34 +1032,34 @@ T1218: System Binary Proxy Execution T1070.006: Timestomp -* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True * https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True +* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True T1620: Reflective Code Loading -* https://github.com/m1m1x/memdlopen (https://github.com/timb-machine/linux-malware/issues/175), citable: False -* https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (https://github.com/timb-machine/linux-malware/issues/499), citable: False -* https://github.com/vbpf/ebpf-samples (https://github.com/timb-machine/linux-malware/issues/215), citable: False -* https://blog.trailofbits.com/2021/11/09/all-your-tracing-are-belong-to-bpf/ (https://github.com/timb-machine/linux-malware/issues/747), citable: False * https://redcanary.com/blog/ebpf-for-security/ (https://github.com/timb-machine/linux-malware/issues/270), citable: False -* https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (https://github.com/timb-machine/linux-malware/issues/723), citable: True +* https://github.com/m1m1x/memdlopen (https://github.com/timb-machine/linux-malware/issues/175), citable: False +* https://github.com/trustedsec/ELFLoader (https://github.com/timb-machine/linux-malware/issues/416), citable: False * https://github.com/Gui774ume/krie (https://github.com/timb-machine/linux-malware/issues/498), citable: False +* https://www.form3.tech/engineering/content/bypassing-ebpf-tools (https://github.com/timb-machine/linux-malware/issues/584), citable: False +* https://blog.trailofbits.com/2021/11/09/all-your-tracing-are-belong-to-bpf/ (https://github.com/timb-machine/linux-malware/issues/747), citable: False * https://gist.github.com/timb-machine/7bd75479ee29aee8762952ea16908eb0 (https://github.com/timb-machine/linux-malware/issues/197), citable: False -* https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (https://github.com/timb-machine/linux-malware/issues/495), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://2018.zeronights.ru/wp-content/uploads/materials/09-ELF-execution-in-Linux-RAM.pdf (https://github.com/timb-machine/linux-malware/issues/436), citable: False -* https://sysdig.com/blog/containers-read-only-fileless-malware/ (https://github.com/timb-machine/linux-malware/issues/415), citable: False +* http://archive.hack.lu/2019/Fileless-Malware-Infection-and-Linux-Process-Injection-in-Linux-OS.pdf (https://github.com/timb-machine/linux-malware/issues/242), citable: False * https://github.com/X-C3LL/memdlopen-lib (https://github.com/timb-machine/linux-malware/issues/605), citable: False -* https://github.com/nnsee/fileless-elf-exec (https://github.com/timb-machine/linux-malware/issues/193), citable: False -* https://www.form3.tech/engineering/content/bypassing-ebpf-tools (https://github.com/timb-machine/linux-malware/issues/584), citable: False -* https://github.com/hardenedvault/ved-ebpf (https://github.com/timb-machine/linux-malware/issues/737), citable: False +* https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (https://github.com/timb-machine/linux-malware/issues/499), citable: False * https://blog.trailofbits.com/2023/08/09/use-our-suite-of-ebpf-libraries/ (https://github.com/timb-machine/linux-malware/issues/736), citable: False -* http://archive.hack.lu/2019/Fileless-Malware-Infection-and-Linux-Process-Injection-in-Linux-OS.pdf (https://github.com/timb-machine/linux-malware/issues/242), citable: False -* https://github.com/trustedsec/ELFLoader (https://github.com/timb-machine/linux-malware/issues/416), citable: False +* https://github.com/vbpf/ebpf-samples (https://github.com/timb-machine/linux-malware/issues/215), citable: False +* https://github.com/nnsee/fileless-elf-exec (https://github.com/timb-machine/linux-malware/issues/193), citable: False * https://blog.aquasec.com/detecting-ebpf-malware-with-tracee (https://github.com/timb-machine/linux-malware/issues/745), citable: False * https://github.com/guitmz/memrun (https://github.com/timb-machine/linux-malware/issues/592), citable: False -* https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (https://github.com/timb-machine/linux-malware/issues/462), citable: False * https://www.first.org/resources/papers/telaviv2019/Rezilion-Shlomi-Butnaro-Beyond-Whitelisting-Fileless-Attacks-Against-L....pdf (https://github.com/timb-machine/linux-malware/issues/231), citable: False * https://blog.doyensec.com/2022/10/11/ebpf-bypass-security-monitoring.html (https://github.com/timb-machine/linux-malware/issues/567), citable: False +* https://github.com/hardenedvault/ved-ebpf (https://github.com/timb-machine/linux-malware/issues/737), citable: False +* https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (https://github.com/timb-machine/linux-malware/issues/723), citable: True +* https://sysdig.com/blog/containers-read-only-fileless-malware/ (https://github.com/timb-machine/linux-malware/issues/415), citable: False +* https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (https://github.com/timb-machine/linux-malware/issues/495), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://2018.zeronights.ru/wp-content/uploads/materials/09-ELF-execution-in-Linux-RAM.pdf (https://github.com/timb-machine/linux-malware/issues/436), citable: False +* https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (https://github.com/timb-machine/linux-malware/issues/462), citable: False T1497.003: Time Based Evasion @@ -1084,47 +1084,47 @@ missing from ATT&CK T1078.001: Default Accounts -* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True * https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (https://github.com/timb-machine/linux-malware/issues/604), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True * https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True T1574.006: Dynamic Linker Hijacking -* https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (https://github.com/timb-machine/linux-malware/issues/397), citable: True -* https://github.com/darrenmartyn/malware_samples (https://github.com/timb-machine/linux-malware/issues/530), citable: False -* https://github.com/NixOS/patchelf (https://github.com/timb-machine/linux-malware/issues/443), citable: False (TACTICS OR TECHNIQUES WRONG) * https://github.com/dsnezhkov/zombieant (https://github.com/timb-machine/linux-malware/issues/793), citable: False -* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (https://github.com/timb-machine/linux-malware/issues/770), citable: True -* https://github.com/gianlucaborello/libprocesshider (https://github.com/timb-machine/linux-malware/issues/776), citable: False -* https://sansec.io/research/nginrat (https://github.com/timb-machine/linux-malware/issues/94), citable: True +* https://github.com/darrenmartyn/malware_samples (https://github.com/timb-machine/linux-malware/issues/530), citable: False +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True +* https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (https://github.com/timb-machine/linux-malware/issues/397), citable: True +* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False * https://github.com/namazso/linux_injector (https://github.com/timb-machine/linux-malware/issues/599), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://github.com/NixOS/patchelf (https://github.com/timb-machine/linux-malware/issues/443), citable: False (TACTICS OR TECHNIQUES WRONG) * https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True +* https://sansec.io/research/nginrat (https://github.com/timb-machine/linux-malware/issues/94), citable: True * https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True +* https://github.com/gianlucaborello/libprocesshider (https://github.com/timb-machine/linux-malware/issues/776), citable: False * https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True +* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (https://github.com/timb-machine/linux-malware/issues/770), citable: True * https://github.com/mav8557/Father (https://github.com/timb-machine/linux-malware/issues/606), citable: False -* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True -* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True -* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False * https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True T1222: File and Directory Permissions Modification -* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True * https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True +* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True T1548: Abuse Elevation Control Mechanism +* https://github.com/Gui774ume/krie (https://github.com/timb-machine/linux-malware/issues/498), citable: False * https://github.com/Frissi0n/GTFONow (https://github.com/timb-machine/linux-malware/issues/771), citable: False (TACTICS OR TECHNIQUES WRONG) * https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False -* https://github.com/Gui774ume/krie (https://github.com/timb-machine/linux-malware/issues/498), citable: False * https://twitter.com/ankit_anubhav/status/1490574137370103808 (https://github.com/timb-machine/linux-malware/issues/483), citable: True T1548.001: Setuid and Setgid -* https://github.com/noptrix/fbkit (https://github.com/timb-machine/linux-malware/issues/684), citable: False -* https://github.com/hardenedvault/ved-ebpf (https://github.com/timb-machine/linux-malware/issues/737), citable: False * https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True * https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True +* https://github.com/noptrix/fbkit (https://github.com/timb-machine/linux-malware/issues/684), citable: False +* https://github.com/hardenedvault/ved-ebpf (https://github.com/timb-machine/linux-malware/issues/737), citable: False T1562.006: Indicator Blocking @@ -1132,27 +1132,27 @@ T1562.006: Indicator Blocking T1070: Indicator Removal +* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False +* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (https://github.com/timb-machine/linux-malware/issues/658), citable: True +* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False +* https://twitter.com/inversecos/status/1527188391347068928 (https://github.com/timb-machine/linux-malware/issues/435), citable: False * https://github.com/snapattack/bpfdoor-scanner (https://github.com/timb-machine/linux-malware/issues/437), citable: False +* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False +* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True * https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (https://github.com/timb-machine/linux-malware/issues/422), citable: False -* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True -* https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False -* https://twitter.com/inversecos/status/1527188391347068928 (https://github.com/timb-machine/linux-malware/issues/435), citable: False -* https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False -* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True -* https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True -* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True -* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False * https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True +* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False * https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True -* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True -* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True -* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False -* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False +* https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False +* https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True * https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (https://github.com/timb-machine/linux-malware/issues/420), citable: False -* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False -* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False +* https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False +* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True +* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True * https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (https://github.com/timb-machine/linux-malware/issues/570), citable: False +* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True +* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True T1036.004: Masquerade Task or Service @@ -1161,20 +1161,20 @@ T1036.004: Masquerade Task or Service T1480: Execution Guardrails * https://cybersec84.wordpress.com/2023/08/15/monti-ransomware-operators-resurface-with-new-linux-variant-improved-evasion-tactics/ (https://github.com/timb-machine/linux-malware/issues/753), citable: True -* https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (https://github.com/timb-machine/linux-malware/issues/623), citable: True * https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw (https://github.com/timb-machine/linux-malware/issues/660), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (https://github.com/timb-machine/linux-malware/issues/623), citable: True * https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True T1205.001: Port Knocking -* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False * https://asec.ahnlab.com/en/55785/ (https://github.com/timb-machine/linux-malware/issues/733), citable: True * https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False T1562.003: Impair Command History Logging -* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True * https://cujo.com/threat-alert-krane-malware/ (https://github.com/timb-machine/linux-malware/issues/391), citable: True +* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True T1134.004: Parent PID Spoofing @@ -1186,12 +1186,12 @@ missing from ATT&CK T1562.001: Disable or Modify Tools +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True * https://github.com/Gui774ume/krie (https://github.com/timb-machine/linux-malware/issues/498), citable: False -* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/ (https://github.com/timb-machine/linux-malware/issues/739), citable: False * https://github.com/codewhitesec/daphne (https://github.com/timb-machine/linux-malware/issues/740), citable: False * https://github.com/codewhitesec/apollon (https://github.com/timb-machine/linux-malware/issues/734), citable: False -* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True +* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/ (https://github.com/timb-machine/linux-malware/issues/739), citable: False T1601: Modify System Image @@ -1202,24 +1202,24 @@ missing from ATT&CK T1574: Hijack Execution Flow -* https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (https://github.com/timb-machine/linux-malware/issues/499), citable: False -* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True -* https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True * https://github.com/Gui774ume/krie (https://github.com/timb-machine/linux-malware/issues/498), citable: False -* https://github.com/hardenedvault/ved-ebpf (https://github.com/timb-machine/linux-malware/issues/737), citable: False +* https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True +* https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (https://github.com/timb-machine/linux-malware/issues/499), citable: False * https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (https://github.com/timb-machine/linux-malware/issues/719), citable: False +* https://github.com/hardenedvault/ved-ebpf (https://github.com/timb-machine/linux-malware/issues/737), citable: False +* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True T1078: Valid Accounts +* https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (https://github.com/timb-machine/linux-malware/issues/800), citable: False +* https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (https://github.com/timb-machine/linux-malware/issues/653), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://github.com/MegaManSec/SSH-Snake (https://github.com/timb-machine/linux-malware/issues/791), citable: False (TACTICS OR TECHNIQUES WRONG) * https://blog.xlab.qianxin.com/mirai-tbot-en/ (https://github.com/timb-machine/linux-malware/issues/788), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (https://github.com/timb-machine/linux-malware/issues/678), citable: True -* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://bazaar.abuse.ch/browse/signature/XorDDoS/ (https://github.com/timb-machine/linux-malware/issues/129), citable: False (TACTICS OR TECHNIQUES WRONG) * https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (https://github.com/timb-machine/linux-malware/issues/800), citable: False * https://sysdig.com/blog/ssh-snake/ (https://github.com/timb-machine/linux-malware/issues/801), citable: True -* https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (https://github.com/timb-machine/linux-malware/issues/653), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://bazaar.abuse.ch/browse/signature/XorDDoS/ (https://github.com/timb-machine/linux-malware/issues/129), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://github.com/MegaManSec/SSH-Snake (https://github.com/timb-machine/linux-malware/issues/791), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True (TACTICS OR TECHNIQUES WRONG) T1055.012: Process Hollowing @@ -1231,22 +1231,22 @@ missing from ATT&CK T1027: Obfuscated Files or Information -* https://blog.xlab.qianxin.com/mirai-tbot-en/ (https://github.com/timb-machine/linux-malware/issues/788), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html (https://github.com/timb-machine/linux-malware/issues/789), citable: True -* https://sansec.io/research/cronrat (https://github.com/timb-machine/linux-malware/issues/399), citable: True -* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True -* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://sansec.io/research/nginrat (https://github.com/timb-machine/linux-malware/issues/94), citable: True -* https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (https://github.com/timb-machine/linux-malware/issues/800), citable: False -* https://sysdig.com/blog/ssh-snake/ (https://github.com/timb-machine/linux-malware/issues/801), citable: True +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True * https://mp-weixin-qq-com.translate.goog/s/pd6fUs5TLdBtwUHauclDOQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp (https://github.com/timb-machine/linux-malware/issues/588), citable: True -* https://www.mandiant.com/resources/unc3524-eye-spy-email (https://github.com/timb-machine/linux-malware/issues/414), citable: True * https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (https://github.com/timb-machine/linux-malware/issues/447), citable: True * https://github.com/trustedsec/ELFLoader (https://github.com/timb-machine/linux-malware/issues/416), citable: False -* https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (https://github.com/timb-machine/linux-malware/issues/800), citable: False * https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True -* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True +* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True +* https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html (https://github.com/timb-machine/linux-malware/issues/789), citable: True +* https://sansec.io/research/nginrat (https://github.com/timb-machine/linux-malware/issues/94), citable: True +* https://blog.xlab.qianxin.com/mirai-tbot-en/ (https://github.com/timb-machine/linux-malware/issues/788), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://sansec.io/research/cronrat (https://github.com/timb-machine/linux-malware/issues/399), citable: True * https://netadr.github.io/blog/a-quick-glimpse-sbz/ (https://github.com/timb-machine/linux-malware/issues/596), citable: True +* https://www.mandiant.com/resources/unc3524-eye-spy-email (https://github.com/timb-machine/linux-malware/issues/414), citable: True +* https://sysdig.com/blog/ssh-snake/ (https://github.com/timb-machine/linux-malware/issues/801), citable: True +* https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True (TACTICS OR TECHNIQUES WRONG) T1036.003: Rename System Utilities @@ -1270,35 +1270,35 @@ missing from ATT&CK T1055.009: Proc Memory -* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True * https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True * https://github.com/NetSPI/sshkey-grab (https://github.com/timb-machine/linux-malware/issues/619), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True T1070.004: File Deletion +* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True +* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True +* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True +* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True +* https://www.mandiant.com/resources/blog/messagetap-who-is-reading-your-text-messages (https://github.com/timb-machine/linux-malware/issues/542), citable: True * https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True +* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True * https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True -* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True -* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) * https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (https://github.com/timb-machine/linux-malware/issues/495), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True -* https://www.mandiant.com/resources/blog/messagetap-who-is-reading-your-text-messages (https://github.com/timb-machine/linux-malware/issues/542), citable: True * https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True -* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True -* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True T1027.002: Software Packing * https://github.com/NozomiNetworks/upx-recovery-tool (https://github.com/timb-machine/linux-malware/issues/535), citable: False * https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf (https://github.com/timb-machine/linux-malware/issues/625), citable: True -* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True -* https://github.com/89luca89/pakkero (https://github.com/timb-machine/linux-malware/issues/718), citable: False -* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True -* https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (https://github.com/timb-machine/linux-malware/issues/723), citable: True * https://github.com/SilentVoid13/Silent_Packer (https://github.com/timb-machine/linux-malware/issues/783), citable: False * https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True +* https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (https://github.com/timb-machine/linux-malware/issues/723), citable: True +* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True +* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True * https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True +* https://github.com/89luca89/pakkero (https://github.com/timb-machine/linux-malware/issues/718), citable: False T1622: Debugger Evasion @@ -1324,20 +1324,20 @@ missing from ATT&CK T1564.001: Hidden Files and Directories -* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True -* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False -* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True -* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True +* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (https://github.com/timb-machine/linux-malware/issues/447), citable: True +* https://github.com/reveng007/reveng_rtkit (https://github.com/timb-machine/linux-malware/issues/669), citable: False * https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True -* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False * https://github.com/R3tr074/brokepkg (https://github.com/timb-machine/linux-malware/issues/777), citable: False -* https://github.com/Eterna1/puszek-rootkit (https://github.com/timb-machine/linux-malware/issues/670), citable: False -* https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (https://github.com/timb-machine/linux-malware/issues/705), citable: False * https://github.com/noptrix/fbkit (https://github.com/timb-machine/linux-malware/issues/684), citable: False -* https://github.com/reveng007/reveng_rtkit (https://github.com/timb-machine/linux-malware/issues/669), citable: False -* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (https://github.com/timb-machine/linux-malware/issues/447), citable: True +* https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (https://github.com/timb-machine/linux-malware/issues/705), citable: False +* https://github.com/Eterna1/puszek-rootkit (https://github.com/timb-machine/linux-malware/issues/670), citable: False +* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True * https://github.com/h3xduck/Umbra (https://github.com/timb-machine/linux-malware/issues/668), citable: False +* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False +* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False +* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True * https://www.group-ib.com/blog/krasue-rat/ (https://github.com/timb-machine/linux-malware/issues/797), citable: True +* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True T1078.004: Cloud Accounts @@ -1359,13 +1359,13 @@ T1556: Modify Authentication Process T1567: Exfiltration Over Web Service -* https://www.archcloudlabs.com/projects/debuginfod/ (https://github.com/timb-machine/linux-malware/issues/796), citable: False -* https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf (https://github.com/timb-machine/linux-malware/issues/407), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True (TACTICS OR TECHNIQUES WRONG) * https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.archcloudlabs.com/projects/debuginfod/ (https://github.com/timb-machine/linux-malware/issues/796), citable: False * https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True +* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (https://github.com/timb-machine/linux-malware/issues/321), citable: True * https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True +* https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf (https://github.com/timb-machine/linux-malware/issues/407), citable: True (TACTICS OR TECHNIQUES WRONG) T1020: Automated Exfiltration @@ -1381,18 +1381,18 @@ T1041: Exfiltration Over C2 Channel T1048: Exfiltration Over Alternative Protocol -* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://github.com/DeimosC2/DeimosC2 (https://github.com/timb-machine/linux-malware/issues/652), citable: False -* https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (https://github.com/timb-machine/linux-malware/issues/524), citable: True * https://bazaar.abuse.ch/sample/05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d (https://github.com/timb-machine/linux-malware/issues/751), citable: False +* https://github.com/DeimosC2/DeimosC2 (https://github.com/timb-machine/linux-malware/issues/652), citable: False * https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True +* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False (TACTICS OR TECHNIQUES WRONG) * https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (https://github.com/timb-machine/linux-malware/issues/321), citable: True * https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True +* https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (https://github.com/timb-machine/linux-malware/issues/524), citable: True T1048.003: Exfiltration Over Unencrypted Non-C2 Protocol -* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False * https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc (https://github.com/timb-machine/linux-malware/issues/786), citable: True +* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False ## Discovery @@ -1426,25 +1426,25 @@ T1007: System Service Discovery T1040: Network Sniffing -* https://github.com/Eterna1/puszek-rootkit (https://github.com/timb-machine/linux-malware/issues/670), citable: False * https://www.mandiant.com/resources/blog/messagetap-who-is-reading-your-text-messages (https://github.com/timb-machine/linux-malware/issues/542), citable: True +* https://github.com/Eterna1/puszek-rootkit (https://github.com/timb-machine/linux-malware/issues/670), citable: False * https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True T1082: System Information Discovery -* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True -* https://asec.ahnlab.com/en/50316/ (https://github.com/timb-machine/linux-malware/issues/621), citable: True +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (https://github.com/timb-machine/linux-malware/issues/447), citable: True * https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html (https://github.com/timb-machine/linux-malware/issues/789), citable: True * https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (https://github.com/timb-machine/linux-malware/issues/716), citable: True -* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/ (https://github.com/timb-machine/linux-malware/issues/787), citable: False * https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (https://github.com/timb-machine/linux-malware/issues/790), citable: True * https://cujo.com/threat-alert-krane-malware/ (https://github.com/timb-machine/linux-malware/issues/391), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True +* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True * https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/ (https://github.com/timb-machine/linux-malware/issues/787), citable: False -* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (https://github.com/timb-machine/linux-malware/issues/447), citable: True -* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://asec.ahnlab.com/en/50316/ (https://github.com/timb-machine/linux-malware/issues/621), citable: True * https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True +* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True +* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True (TACTICS OR TECHNIQUES WRONG) T1497.003: Time Based Evasion @@ -1458,16 +1458,16 @@ missing from ATT&CK T1016: System Network Configuration Discovery -* https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (https://github.com/timb-machine/linux-malware/issues/516), citable: True * https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True +* https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (https://github.com/timb-machine/linux-malware/issues/516), citable: True * https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True (TACTICS OR TECHNIQUES WRONG) T1083: File and Directory Discovery -* https://www.guitmz.com/linux-nasty-elf-virus/ (https://github.com/timb-machine/linux-malware/issues/642), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True -* https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (https://github.com/timb-machine/linux-malware/issues/790), citable: True * https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (https://github.com/timb-machine/linux-malware/issues/790), citable: True +* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True +* https://www.guitmz.com/linux-nasty-elf-virus/ (https://github.com/timb-machine/linux-malware/issues/642), citable: False (TACTICS OR TECHNIQUES WRONG) T1619: Cloud Storage Object Discovery @@ -1477,17 +1477,17 @@ missing from ATT&CK T1057: Process Discovery -* https://www.guitmz.com/linux-nasty-elf-virus/ (https://github.com/timb-machine/linux-malware/issues/642), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True -* https://github.com/darrenmartyn/malware_samples (https://github.com/timb-machine/linux-malware/issues/530), citable: False * https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (https://github.com/timb-machine/linux-malware/issues/700), citable: True +* https://github.com/darrenmartyn/malware_samples (https://github.com/timb-machine/linux-malware/issues/530), citable: False +* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True +* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True (TACTICS OR TECHNIQUES WRONG) * https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (https://github.com/timb-machine/linux-malware/issues/716), citable: True -* https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 (https://github.com/timb-machine/linux-malware/issues/702), citable: True +* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True +* https://www.guitmz.com/linux-nasty-elf-virus/ (https://github.com/timb-machine/linux-malware/issues/642), citable: False (TACTICS OR TECHNIQUES WRONG) * https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True -* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 (https://github.com/timb-machine/linux-malware/issues/702), citable: True * https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (https://github.com/timb-machine/linux-malware/issues/524), citable: True * https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (https://github.com/timb-machine/linux-malware/issues/462), citable: False -* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True T1526: Cloud Service Discovery @@ -1527,9 +1527,9 @@ T1560.001: Archive via Utility T1056.001: Keylogging -* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False (TACTICS OR TECHNIQUES WRONG) * https://github.com/anko/xkbcat (https://github.com/timb-machine/linux-malware/issues/691), citable: False +* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False (TACTICS OR TECHNIQUES WRONG) T1602: Data from Configuration Repository @@ -1564,18 +1564,18 @@ T1583.008: Malvertising missing from ATT&CK -* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (https://github.com/timb-machine/linux-malware/issues/814), citable: True -* https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (https://github.com/timb-machine/linux-malware/issues/711), citable: False * https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (https://github.com/timb-machine/linux-malware/issues/724), citable: True -* https://twitter.com/xnand_/status/1676336329985077249 (https://github.com/timb-machine/linux-malware/issues/710), citable: True * https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (https://github.com/timb-machine/linux-malware/issues/686), citable: True +* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (https://github.com/timb-machine/linux-malware/issues/814), citable: True +* https://twitter.com/xnand_/status/1676336329985077249 (https://github.com/timb-machine/linux-malware/issues/710), citable: True +* https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (https://github.com/timb-machine/linux-malware/issues/711), citable: False T1587.001: Malware missing from ATT&CK -* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True * https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (https://github.com/timb-machine/linux-malware/issues/516), citable: True +* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True T1587.002: Code Signing Certificates @@ -1617,12 +1617,12 @@ T1608: Stage Capabilities missing from ATT&CK -* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (https://github.com/timb-machine/linux-malware/issues/814), citable: True -* https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (https://github.com/timb-machine/linux-malware/issues/711), citable: False * https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (https://github.com/timb-machine/linux-malware/issues/724), citable: True * https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True -* https://twitter.com/xnand_/status/1676336329985077249 (https://github.com/timb-machine/linux-malware/issues/710), citable: True * https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (https://github.com/timb-machine/linux-malware/issues/686), citable: True +* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (https://github.com/timb-machine/linux-malware/issues/814), citable: True +* https://twitter.com/xnand_/status/1676336329985077249 (https://github.com/timb-machine/linux-malware/issues/710), citable: True +* https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (https://github.com/timb-machine/linux-malware/issues/711), citable: False T1588.002: Tool @@ -1634,21 +1634,21 @@ T1585: Establish Accounts missing from ATT&CK -* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (https://github.com/timb-machine/linux-malware/issues/814), citable: True -* https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (https://github.com/timb-machine/linux-malware/issues/711), citable: False * https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (https://github.com/timb-machine/linux-malware/issues/724), citable: True -* https://twitter.com/xnand_/status/1676336329985077249 (https://github.com/timb-machine/linux-malware/issues/710), citable: True * https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (https://github.com/timb-machine/linux-malware/issues/686), citable: True +* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (https://github.com/timb-machine/linux-malware/issues/814), citable: True +* https://twitter.com/xnand_/status/1676336329985077249 (https://github.com/timb-machine/linux-malware/issues/710), citable: True +* https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (https://github.com/timb-machine/linux-malware/issues/711), citable: False T1588: Obtain Capabilities missing from ATT&CK -* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (https://github.com/timb-machine/linux-malware/issues/814), citable: True -* https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (https://github.com/timb-machine/linux-malware/issues/711), citable: False * https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (https://github.com/timb-machine/linux-malware/issues/724), citable: True -* https://twitter.com/xnand_/status/1676336329985077249 (https://github.com/timb-machine/linux-malware/issues/710), citable: True * https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (https://github.com/timb-machine/linux-malware/issues/686), citable: True +* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (https://github.com/timb-machine/linux-malware/issues/814), citable: True +* https://twitter.com/xnand_/status/1676336329985077249 (https://github.com/timb-machine/linux-malware/issues/710), citable: True +* https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (https://github.com/timb-machine/linux-malware/issues/711), citable: False ## Reconnaissance @@ -1711,43 +1711,43 @@ missing from ATT&CK T1205.002: Socket Filters -* https://github.com/h3xduck/TripleCross (https://github.com/timb-machine/linux-malware/issues/465), citable: False +* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False +* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False +* https://github.com/aojea/netkat (https://github.com/timb-machine/linux-malware/issues/464), citable: False * https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (https://github.com/timb-machine/linux-malware/issues/397), citable: True -* https://twitter.com/timb_machine/status/1523253031382687744 (https://github.com/timb-machine/linux-malware/issues/421), citable: False -* https://packetstormsecurity.com/files/22121/cd00r.c.html (https://github.com/timb-machine/linux-malware/issues/597), citable: False -* https://github.com/vbpf/ebpf-samples (https://github.com/timb-machine/linux-malware/issues/215), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://github.com/citronneur/pamspy (https://github.com/timb-machine/linux-malware/issues/466), citable: False (TACTICS OR TECHNIQUES WRONG) * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (https://github.com/timb-machine/linux-malware/issues/658), citable: True +* https://twitter.com/inversecos/status/1527188391347068928 (https://github.com/timb-machine/linux-malware/issues/435), citable: False (TACTICS OR TECHNIQUES WRONG) * https://github.com/snapattack/bpfdoor-scanner (https://github.com/timb-machine/linux-malware/issues/437), citable: False -* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True +* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False +* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True +* https://pastebin.com/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/802), citable: False * https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (https://github.com/timb-machine/linux-malware/issues/422), citable: False -* https://vms.drweb.com/virus/?i=21004786 (https://github.com/timb-machine/linux-malware/issues/433), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True +* https://twitter.com/timb_machine/status/1523253031382687744 (https://github.com/timb-machine/linux-malware/issues/421), citable: False +* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True +* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False * https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (https://github.com/timb-machine/linux-malware/issues/725), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True +* https://vms.drweb.com/virus/?i=21004786 (https://github.com/timb-machine/linux-malware/issues/433), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False +* https://github.com/h3xduck/TripleCross (https://github.com/timb-machine/linux-malware/issues/465), citable: False * https://github.com/wunderwuzzi23/Offensive-BPF (https://github.com/timb-machine/linux-malware/issues/469), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://github.com/Gui774ume/ebpfkit (https://github.com/timb-machine/linux-malware/issues/151), citable: False +* https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (https://github.com/timb-machine/linux-malware/issues/420), citable: False +* https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar (https://github.com/timb-machine/linux-malware/issues/419), citable: False (TACTICS OR TECHNIQUES WRONG) * https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False -* https://twitter.com/inversecos/status/1527188391347068928 (https://github.com/timb-machine/linux-malware/issues/435), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False -* https://pastebin.com/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/802), citable: False -* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True +* https://packetstormsecurity.com/files/22121/cd00r.c.html (https://github.com/timb-machine/linux-malware/issues/597), citable: False +* https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (https://github.com/timb-machine/linux-malware/issues/405), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True +* https://github.com/vbpf/ebpf-samples (https://github.com/timb-machine/linux-malware/issues/215), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://github.com/Gui774ume/ebpfkit (https://github.com/timb-machine/linux-malware/issues/151), citable: False * https://github.com/noptrix/fbkit (https://github.com/timb-machine/linux-malware/issues/684), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar (https://github.com/timb-machine/linux-malware/issues/419), citable: False (TACTICS OR TECHNIQUES WRONG) * https://packetstormsecurity.com/files/23336/Slx2k001.txt.html (https://github.com/timb-machine/linux-malware/issues/152), citable: False -* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True -* https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (https://github.com/timb-machine/linux-malware/issues/405), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False -* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True -* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True -* https://github.com/aojea/netkat (https://github.com/timb-machine/linux-malware/issues/464), citable: False -* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True -* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True -* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False -* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False -* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (https://github.com/timb-machine/linux-malware/issues/420), citable: False -* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False +* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True * https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (https://github.com/timb-machine/linux-malware/issues/570), citable: False +* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True +* https://github.com/citronneur/pamspy (https://github.com/timb-machine/linux-malware/issues/466), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True +* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True T1132.001: Standard Encoding @@ -1755,65 +1755,65 @@ T1132.001: Standard Encoding T1071.004: DNS +* http://securelist.com/backdoored-free-download-manager-linux-malware/110465/ (https://github.com/timb-machine/linux-malware/issues/766), citable: False * https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True * https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True -* http://securelist.com/backdoored-free-download-manager-linux-malware/110465/ (https://github.com/timb-machine/linux-malware/issues/766), citable: False T1573.001: Symmetric Cryptography +* https://asec.ahnlab.com/en/55229/ (https://github.com/timb-machine/linux-malware/issues/722), citable: True +* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True +* https://unit42.paloaltonetworks.com/alloy-taurus/ (https://github.com/timb-machine/linux-malware/issues/646), citable: True +* https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (https://github.com/timb-machine/linux-malware/issues/516), citable: True * https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (https://github.com/timb-machine/linux-malware/issues/8), citable: True * https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True * https://asec.ahnlab.com/ko/55070/ (https://github.com/timb-machine/linux-malware/issues/709), citable: True -* https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (https://github.com/timb-machine/linux-malware/issues/516), citable: True -* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True -* https://unit42.paloaltonetworks.com/alloy-taurus/ (https://github.com/timb-machine/linux-malware/issues/646), citable: True -* https://asec.ahnlab.com/en/55229/ (https://github.com/timb-machine/linux-malware/issues/722), citable: True T1071: Application Layer Protocol -* https://www.archcloudlabs.com/projects/debuginfod/ (https://github.com/timb-machine/linux-malware/issues/796), citable: False +* https://bazaar.abuse.ch/sample/05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d (https://github.com/timb-machine/linux-malware/issues/751), citable: False * https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf (https://github.com/timb-machine/linux-malware/issues/625), citable: True -* https://x.com/haxrob/status/1762821513680732222 (https://github.com/timb-machine/linux-malware/issues/810), citable: True +* https://unit42.paloaltonetworks.com/alloy-taurus/ (https://github.com/timb-machine/linux-malware/issues/646), citable: True * https://github.com/DeimosC2/DeimosC2 (https://github.com/timb-machine/linux-malware/issues/652), citable: False -* https://bazaar.abuse.ch/sample/05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d (https://github.com/timb-machine/linux-malware/issues/751), citable: False +* https://www.archcloudlabs.com/projects/debuginfod/ (https://github.com/timb-machine/linux-malware/issues/796), citable: False * https://blog.talosintelligence.com/lazarus-collectionrat/ (https://github.com/timb-machine/linux-malware/issues/752), citable: True -* https://unit42.paloaltonetworks.com/alloy-taurus/ (https://github.com/timb-machine/linux-malware/issues/646), citable: True * https://www.group-ib.com/blog/krasue-rat/ (https://github.com/timb-machine/linux-malware/issues/797), citable: True +* https://x.com/haxrob/status/1762821513680732222 (https://github.com/timb-machine/linux-malware/issues/810), citable: True T1205: Traffic Signaling -* https://twitter.com/timb_machine/status/1523253031382687744 (https://github.com/timb-machine/linux-malware/issues/421), citable: False +* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False +* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (https://github.com/timb-machine/linux-malware/issues/658), citable: True -* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True +* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False +* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True +* https://pastebin.com/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/802), citable: False * https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (https://github.com/timb-machine/linux-malware/issues/422), citable: False -* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True +* https://twitter.com/timb_machine/status/1523253031382687744 (https://github.com/timb-machine/linux-malware/issues/421), citable: False +* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True +* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False +* https://github.com/R3tr074/brokepkg (https://github.com/timb-machine/linux-malware/issues/777), citable: False * https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (https://github.com/timb-machine/linux-malware/issues/725), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False +* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True * https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False -* https://pastebin.com/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/802), citable: False -* https://github.com/R3tr074/brokepkg (https://github.com/timb-machine/linux-malware/issues/777), citable: False -* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True * https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True -* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True -* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False -* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True -* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True -* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True -* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True -* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False -* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (https://github.com/timb-machine/linux-malware/issues/420), citable: False -* https://www.group-ib.com/blog/krasue-rat/ (https://github.com/timb-machine/linux-malware/issues/797), citable: True -* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False -* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False +* https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False +* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True +* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True * https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (https://github.com/timb-machine/linux-malware/issues/570), citable: False +* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True +* https://www.group-ib.com/blog/krasue-rat/ (https://github.com/timb-machine/linux-malware/issues/797), citable: True +* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True +* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True T1572: Protocol Tunneling -* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True -* https://x.com/haxrob/status/1762821513680732222 (https://github.com/timb-machine/linux-malware/issues/810), citable: True * https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/ (https://github.com/timb-machine/linux-malware/issues/690), citable: True +* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True * https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True +* https://x.com/haxrob/status/1762821513680732222 (https://github.com/timb-machine/linux-malware/issues/810), citable: True T1092: Communication Through Removable Media @@ -1825,21 +1825,21 @@ T1090.002: External Proxy T1090: Proxy -* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True * https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html (https://github.com/timb-machine/linux-malware/issues/789), citable: True * https://www.kroll.com/en/insights/publications/cyber/inside-the-systembc-malware-server (https://github.com/timb-machine/linux-malware/issues/784), citable: True +* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True T1102: Web Service -* https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (https://github.com/timb-machine/linux-malware/issues/723), citable: True * https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True * https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (https://github.com/timb-machine/linux-malware/issues/692), citable: True +* https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (https://github.com/timb-machine/linux-malware/issues/723), citable: True T1205.001: Port Knocking -* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False * https://asec.ahnlab.com/en/55785/ (https://github.com/timb-machine/linux-malware/issues/733), citable: True * https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True +* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False T1071.002: File Transfer Protocols @@ -1860,34 +1860,34 @@ T1571: Non-Standard Port T1573: Encrypted Channel -* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False -* https://github.com/DeimosC2/DeimosC2 (https://github.com/timb-machine/linux-malware/issues/652), citable: False * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (https://github.com/timb-machine/linux-malware/issues/658), citable: True -* https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (https://github.com/timb-machine/linux-malware/issues/716), citable: True -* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True -* https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (https://github.com/timb-machine/linux-malware/issues/524), citable: True * https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True -* https://github.com/R3tr074/brokepkg (https://github.com/timb-machine/linux-malware/issues/777), citable: False * https://bazaar.abuse.ch/sample/05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d (https://github.com/timb-machine/linux-malware/issues/751), citable: False -* https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (https://github.com/timb-machine/linux-malware/issues/321), citable: True -* https://blog.talosintelligence.com/lazarus-collectionrat/ (https://github.com/timb-machine/linux-malware/issues/752), citable: True +* https://github.com/R3tr074/brokepkg (https://github.com/timb-machine/linux-malware/issues/777), citable: False * https://unit42.paloaltonetworks.com/alloy-taurus/ (https://github.com/timb-machine/linux-malware/issues/646), citable: True +* https://github.com/DeimosC2/DeimosC2 (https://github.com/timb-machine/linux-malware/issues/652), citable: False +* https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (https://github.com/timb-machine/linux-malware/issues/716), citable: True +* https://blog.talosintelligence.com/lazarus-collectionrat/ (https://github.com/timb-machine/linux-malware/issues/752), citable: True +* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True +* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False +* https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (https://github.com/timb-machine/linux-malware/issues/321), citable: True +* https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (https://github.com/timb-machine/linux-malware/issues/524), citable: True T1573.002: Asymmetric Cryptography +* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True * https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True * https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True -* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True T1095: Non-Application Layer Protocol +* https://redcanary.com/blog/process-streams/ (https://github.com/timb-machine/linux-malware/issues/494), citable: False * https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True +* https://github.com/h3xduck/Umbra (https://github.com/timb-machine/linux-malware/issues/668), citable: False * https://asec.ahnlab.com/en/50316/ (https://github.com/timb-machine/linux-malware/issues/621), citable: True -* https://redcanary.com/blog/process-streams/ (https://github.com/timb-machine/linux-malware/issues/494), citable: False -* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False * https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False * https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True -* https://github.com/h3xduck/Umbra (https://github.com/timb-machine/linux-malware/issues/668), citable: False +* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False * https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True (TACTICS OR TECHNIQUES WRONG) T1001.003: Protocol Impersonation @@ -1907,27 +1907,27 @@ T1132.002: Non-Standard Encoding T1071.001: Web Protocols +* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True * https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf (https://github.com/timb-machine/linux-malware/issues/625), citable: True -* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True +* https://unit42.paloaltonetworks.com/alloy-taurus/ (https://github.com/timb-machine/linux-malware/issues/646), citable: True * https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (https://github.com/timb-machine/linux-malware/issues/516), citable: True -* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True -* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True +* https://www.kroll.com/en/insights/publications/cyber/inside-the-systembc-malware-server (https://github.com/timb-machine/linux-malware/issues/784), citable: True +* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True +* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True * https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (https://github.com/timb-machine/linux-malware/issues/623), citable: True * https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (https://github.com/timb-machine/linux-malware/issues/321), citable: True -* https://www.kroll.com/en/insights/publications/cyber/inside-the-systembc-malware-server (https://github.com/timb-machine/linux-malware/issues/784), citable: True +* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True * https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True -* https://unit42.paloaltonetworks.com/alloy-taurus/ (https://github.com/timb-machine/linux-malware/issues/646), citable: True -* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True T1105: Ingress Tool Transfer +* http://securelist.com/backdoored-free-download-manager-linux-malware/110465/ (https://github.com/timb-machine/linux-malware/issues/766), citable: False * https://cujo.com/threat-alert-krane-malware/ (https://github.com/timb-machine/linux-malware/issues/391), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (https://github.com/timb-machine/linux-malware/issues/723), citable: True -* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True * https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG) * https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (https://github.com/timb-machine/linux-malware/issues/623), citable: True -* http://securelist.com/backdoored-free-download-manager-linux-malware/110465/ (https://github.com/timb-machine/linux-malware/issues/766), citable: False +* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True T1090.001: Internal Proxy @@ -1944,9 +1944,9 @@ T1133: External Remote Services T1195.001: Compromise Software Dependencies and Development Tools +* https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/ (https://github.com/timb-machine/linux-malware/issues/787), citable: False * https://blog.sonatype.com/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices (https://github.com/timb-machine/linux-malware/issues/294), citable: False (TACTICS OR TECHNIQUES WRONG) * https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (https://github.com/timb-machine/linux-malware/issues/495), citable: False (TACTICS OR TECHNIQUES WRONG) -* https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/ (https://github.com/timb-machine/linux-malware/issues/787), citable: False T1566.001: Spearphishing Attachment @@ -1954,26 +1954,26 @@ T1566.001: Spearphishing Attachment T1190: Exploit Public-Facing Application +* https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ (https://github.com/timb-machine/linux-malware/issues/373), citable: True +* https://spectrum.ieee.org/amp/mirai-botnet-2659993631 (https://github.com/timb-machine/linux-malware/issues/676), citable: False +* https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (https://github.com/timb-machine/linux-malware/issues/604), citable: True * https://blog.xlab.qianxin.com/mirai-tbot-en/ (https://github.com/timb-machine/linux-malware/issues/788), citable: True +* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True * https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (https://github.com/timb-machine/linux-malware/issues/790), citable: True -* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 (https://github.com/timb-machine/linux-malware/issues/702), citable: True -* https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (https://github.com/timb-machine/linux-malware/issues/723), citable: True (TACTICS OR TECHNIQUES WRONG) * https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ (https://github.com/timb-machine/linux-malware/issues/714), citable: True -* https://spectrum.ieee.org/amp/mirai-botnet-2659993631 (https://github.com/timb-machine/linux-malware/issues/676), citable: False -* https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (https://github.com/timb-machine/linux-malware/issues/524), citable: True * https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal (https://github.com/timb-machine/linux-malware/issues/665), citable: False -* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False -* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True -* https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ (https://github.com/timb-machine/linux-malware/issues/373), citable: True -* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True -* https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (https://github.com/timb-machine/linux-malware/issues/604), citable: True +* https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (https://github.com/timb-machine/linux-malware/issues/723), citable: True (TACTICS OR TECHNIQUES WRONG) * https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True +* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True +* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG) +* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False +* https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 (https://github.com/timb-machine/linux-malware/issues/702), citable: True +* https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (https://github.com/timb-machine/linux-malware/issues/524), citable: True T1078.001: Default Accounts -* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True * https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (https://github.com/timb-machine/linux-malware/issues/604), citable: True +* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True * https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True T1199: Trusted Relationship @@ -1982,15 +1982,15 @@ T1199: Trusted Relationship T1078: Valid Accounts +* https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (https://github.com/timb-machine/linux-malware/issues/800), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (https://github.com/timb-machine/linux-malware/issues/653), citable: False +* https://github.com/MegaManSec/SSH-Snake (https://github.com/timb-machine/linux-malware/issues/791), citable: False (TACTICS OR TECHNIQUES WRONG) * https://blog.xlab.qianxin.com/mirai-tbot-en/ (https://github.com/timb-machine/linux-malware/issues/788), citable: True * https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (https://github.com/timb-machine/linux-malware/issues/678), citable: True -* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True +* https://bazaar.abuse.ch/browse/signature/XorDDoS/ (https://github.com/timb-machine/linux-malware/issues/129), citable: False * https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True -* https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (https://github.com/timb-machine/linux-malware/issues/800), citable: False (TACTICS OR TECHNIQUES WRONG) * https://sysdig.com/blog/ssh-snake/ (https://github.com/timb-machine/linux-malware/issues/801), citable: True (TACTICS OR TECHNIQUES WRONG) -* https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (https://github.com/timb-machine/linux-malware/issues/653), citable: False -* https://bazaar.abuse.ch/browse/signature/XorDDoS/ (https://github.com/timb-machine/linux-malware/issues/129), citable: False -* https://github.com/MegaManSec/SSH-Snake (https://github.com/timb-machine/linux-malware/issues/791), citable: False (TACTICS OR TECHNIQUES WRONG) +* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True T1078.004: Cloud Accounts diff --git a/README.md b/README.md index 9e826ee..da2fb78 100644 --- a/README.md +++ b/README.md @@ -10,553 +10,553 @@ ## Press/academia -* https://blog.trendmicro.com/trendlabs-security-intelligence/unix-a-game-changer-in-the-ransomware-landscape/ ([#35](https://github.com/timb-machine/linux-malware/issues/35)) -* https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations ([#32](https://github.com/timb-machine/linux-malware/issues/32)) -* https://www.zdnet.com/article/hacker-exposes-thousands-of-insecure-desktops-that-anyone-can-remotely-view/ ([#33](https://github.com/timb-machine/linux-malware/issues/33)) -* https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf ([#21](https://github.com/timb-machine/linux-malware/issues/21)) - WINNTI -* https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/ ([#22](https://github.com/timb-machine/linux-malware/issues/22)) - AgeLocker, WellMail, TrickBot, IPStorm, Turla, QNAPCrypt, Carbanak -* https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/ ([#19](https://github.com/timb-machine/linux-malware/issues/19)) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact -* https://github.com/CiscoCXSecurity/presentations/raw/master/The%20UNIX%20malware%20landscape%20-%20Reviewing%20the%20goods%20at%20MALWAREbazaar%20v5.pdf ([#448](https://github.com/timb-machine/linux-malware/issues/448)) -* http://s3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf ([#27](https://github.com/timb-machine/linux-malware/issues/27)) -* https://rp.os3.nl/ ([#30](https://github.com/timb-machine/linux-malware/issues/30)) -* https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 ([#422](https://github.com/timb-machine/linux-malware/issues/422)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris -* https://ieeexplore.ieee.org/document/8418602 ([#25](https://github.com/timb-machine/linux-malware/issues/25)) -* https://www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html ([#34](https://github.com/timb-machine/linux-malware/issues/34)) +* https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf ([#20](https://github.com/timb-machine/linux-malware/issues/20)) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, LaZagne, Dalcs, Mirai, Gafgyt, Tsunami, IPStorm, Wellmess, FritzFrog, Linux * https://www.group-ib.com/resources/threat-research/oldgremlin.html ([#573](https://github.com/timb-machine/linux-malware/issues/573)) - Impact, OldGremlin, Linux -* https://wikileaks.org/vault7/ ([#31](https://github.com/timb-machine/linux-malware/issues/31)) +* https://en.wikipedia.org/wiki/Linux_malware ([#17](https://github.com/timb-machine/linux-malware/issues/17)) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, DarkSide +* https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html ([#37](https://github.com/timb-machine/linux-malware/issues/37)) * https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Dumont-H-Porcher-dark_side_of_the_forsshe.pdf ([#24](https://github.com/timb-machine/linux-malware/issues/24)) - various SSH, Bonadan, Kessel, Chandrila -* https://spectrum.ieee.org/amp/mirai-botnet-2659993631 ([#676](https://github.com/timb-machine/linux-malware/issues/676)) - Initial Access, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1498:Network Denial of Service, attack:T1499:Endpoint Denial of Service, Mirai, Linux, Consumer -* https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/ ([#40](https://github.com/timb-machine/linux-malware/issues/40)) +* https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 ([#422](https://github.com/timb-machine/linux-malware/issues/422)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris +* https://www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html ([#34](https://github.com/timb-machine/linux-malware/issues/34)) +* https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations ([#32](https://github.com/timb-machine/linux-malware/issues/32)) +* https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf ([#21](https://github.com/timb-machine/linux-malware/issues/21)) - WINNTI +* https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf ([#23](https://github.com/timb-machine/linux-malware/issues/23)) - various SSH, Bonadan, Kessel, Chandrila * https://gist.github.com/vlamer/2c2ec2ca80a84ab21a32 ([#26](https://github.com/timb-machine/linux-malware/issues/26)) -* https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf ([#417](https://github.com/timb-machine/linux-malware/issues/417)) - LootRat, PLEAD, TSCookie, RotaJakiro1, Red Djinn, Red Nue, Scarlet Joke, Ocean Lotus, APT32, Linux +* https://www.darkreading.com/attacks-breaches/blackcat-purveyor-shows-ransomware-operators-have-nine-lives ([#41](https://github.com/timb-machine/linux-malware/issues/41)) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512 +* https://spectrum.ieee.org/amp/mirai-botnet-2659993631 ([#676](https://github.com/timb-machine/linux-malware/issues/676)) - Initial Access, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1498:Network Denial of Service, attack:T1499:Endpoint Denial of Service, Mirai, Linux, Consumer * https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf ([#101](https://github.com/timb-machine/linux-malware/issues/101)) - Defense Evasion, Command and Control, Exfiltration, Impact, attack:T1486:Data Encrypted for Impact, XMRig, Hello Kitty, https://github.com/timb-machine/linux-malware/issues/546, REvil, DarkSide, BlackMatter, Defray777, ViceSociety, Erebus, GonnaCry, eChoraix, Sysrv, TeamTNT, Mexalz, Omelette, WatchDog, Kinsing, Cobalt Strike, Vermillion Strike, Merlin, https://github.com/timb-machine/linux-malware/issues/545, https://github.com/timb-machine/linux-malware/issues/547, RedXOR, https://github.com/timb-machine/linux-malware/issues/548, ACBackdoor, https://github.com/timb-machine/linux-malware/issues/549, ELF_Plead, Linux, VMware, Internal enterprise services, Internal specialist services -* https://en.wikipedia.org/wiki/Mirai_(malware) ([#18](https://github.com/timb-machine/linux-malware/issues/18)) - Initial Access, Persistence, Defense Evasion, Credential Access, Discovery, Lateral Movement, Impact, Mirai -* https://reyammer.io/publications/2018_oakland_linuxmalware.pdf ([#28](https://github.com/timb-machine/linux-malware/issues/28)) * https://www.linuxexperten.com/library/e-resources/linux-malware-ever-growing-list-2023 ([#622](https://github.com/timb-machine/linux-malware/issues/622)) - Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, Linux -* https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf ([#20](https://github.com/timb-machine/linux-malware/issues/20)) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, LaZagne, Dalcs, Mirai, Gafgyt, Tsunami, IPStorm, Wellmess, FritzFrog, Linux +* https://blog.trendmicro.com/trendlabs-security-intelligence/unix-a-game-changer-in-the-ransomware-landscape/ ([#35](https://github.com/timb-machine/linux-malware/issues/35)) +* https://rp.os3.nl/ ([#30](https://github.com/timb-machine/linux-malware/issues/30)) +* https://reyammer.io/publications/2018_oakland_linuxmalware.pdf ([#28](https://github.com/timb-machine/linux-malware/issues/28)) * https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/ ([#638](https://github.com/timb-machine/linux-malware/issues/638)) - Resource Development, Impact, attack:T1486:Data Encrypted for Impact, https://github.com/timb-machine/linux-malware/issues/644, uses:CrossCompiled, LockBit, Linux, Internal specialist services +* https://www.zdnet.com/article/hacker-exposes-thousands-of-insecure-desktops-that-anyone-can-remotely-view/ ([#33](https://github.com/timb-machine/linux-malware/issues/33)) +* https://wikileaks.org/vault7/ ([#31](https://github.com/timb-machine/linux-malware/issues/31)) +* https://en.wikipedia.org/wiki/Mirai_(malware) ([#18](https://github.com/timb-machine/linux-malware/issues/18)) - Initial Access, Persistence, Defense Evasion, Credential Access, Discovery, Lateral Movement, Impact, Mirai * https://securelist.com/top-10-unattributed-apt-mysteries/107676/ ([#552](https://github.com/timb-machine/linux-malware/issues/552)) - Metador, Plexing Eagle, wltm, Linux, Solaris, Telecomms +* https://github.com/CiscoCXSecurity/presentations/raw/master/The%20UNIX%20malware%20landscape%20-%20Reviewing%20the%20goods%20at%20MALWAREbazaar%20v5.pdf ([#448](https://github.com/timb-machine/linux-malware/issues/448)) +* https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf ([#417](https://github.com/timb-machine/linux-malware/issues/417)) - LootRat, PLEAD, TSCookie, RotaJakiro1, Red Djinn, Red Nue, Scarlet Joke, Ocean Lotus, APT32, Linux +* https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/ ([#40](https://github.com/timb-machine/linux-malware/issues/40)) +* https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/ ([#22](https://github.com/timb-machine/linux-malware/issues/22)) - AgeLocker, WellMail, TrickBot, IPStorm, Turla, QNAPCrypt, Carbanak +* http://s3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf ([#27](https://github.com/timb-machine/linux-malware/issues/27)) +* https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/ ([#19](https://github.com/timb-machine/linux-malware/issues/19)) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact * https://malpedia.caad.fkie.fraunhofer.de/ ([#29](https://github.com/timb-machine/linux-malware/issues/29)) -* https://www.darkreading.com/attacks-breaches/blackcat-purveyor-shows-ransomware-operators-have-nine-lives ([#41](https://github.com/timb-machine/linux-malware/issues/41)) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512 -* https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf ([#23](https://github.com/timb-machine/linux-malware/issues/23)) - various SSH, Bonadan, Kessel, Chandrila -* https://en.wikipedia.org/wiki/Linux_malware ([#17](https://github.com/timb-machine/linux-malware/issues/17)) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, DarkSide -* https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html ([#37](https://github.com/timb-machine/linux-malware/issues/37)) +* https://ieeexplore.ieee.org/document/8418602 ([#25](https://github.com/timb-machine/linux-malware/issues/25)) ## In the wild ### Breach reports +* https://www.freedownloadmanager.org/blog/?p=664 ([#765](https://github.com/timb-machine/linux-malware/issues/765)) - Initial Access, Credential Access, https://github.com/timb-machine/linux-malware/issues/766, Free Download Manager, https://github.com/timb-machine/linux-malware/issues/816, wltm, Linux +* http://securelist.com/backdoored-free-download-manager-linux-malware/110465/ ([#766](https://github.com/timb-machine/linux-malware/issues/766)) - Initial Access, Credential Access, Collection, Command and Control, https://github.com/timb-machine/linux-malware/issues/765, Free Download Manager, https://github.com/timb-machine/linux-malware/issues/816, attack:T1071.004:DNS, attack:T1105:Ingress Tool Transfer, attack:T1560.001:Archive via Utility, wltm, Linux +* https://twitter.com/1ZRR4H/status/1560662815400407040 ([#507](https://github.com/timb-machine/linux-malware/issues/507)) - Initial Access, Peer2Profit, Linux * https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ ([#446](https://github.com/timb-machine/linux-malware/issues/446)) - Initial Access, Linux * https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm ([#42](https://github.com/timb-machine/linux-malware/issues/42)) - GoDaddy -* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ ([#677](https://github.com/timb-machine/linux-malware/issues/677)) - Reconnaissance, Initial Access, Persistence, Defense Evasion, Discovery, Collection, Impact, attack:T1593:Search Open Websites/Domains, attack:T1190:Exploit Public-Facing Application, attack:T1078.004:Cloud Accounts, attack:T1526:Cloud Service Discovery, attack:T1619:Cloud Storage Object Discovery, attack:T1069:Permission Groups Discovery, attack:T1069.003:Cloud Groups, attack:T1602:Data from Configuration Repository, attack:T1213.003:Code Repositories, attack:T1098:Account Manipulation, attack:T1098.003:Additional Cloud Roles, attack:T1136:Create Account, attack:T1136.003:Cloud Account, attack:T1036:Masquerading, attack:T1021.004:SSH, attack:T1578:Modify Cloud Compute Infrastructure, attack:T1578.002:Create Cloud Instance, attack:T1525:Implant Internal Image, attack:T1496:Resource Hijacking, GUI-vil, Linux, Hosting, Cloud hosted services -* https://www.freedownloadmanager.org/blog/?p=664 ([#765](https://github.com/timb-machine/linux-malware/issues/765)) - Initial Access, Credential Access, https://github.com/timb-machine/linux-malware/issues/766, Free Download Manager, https://github.com/timb-machine/linux-malware/issues/816, wltm, Linux * https://bitbucket.org/workspacespain/i-s00n-translated ([#799](https://github.com/timb-machine/linux-malware/issues/799)) - Persistence, uses:Leak, uses:Blocklisted, Reptile, APT41, Linux, AIX, Solaris, HP-UX -* https://twitter.com/1ZRR4H/status/1560662815400407040 ([#507](https://github.com/timb-machine/linux-malware/issues/507)) - Initial Access, Peer2Profit, Linux -* http://securelist.com/backdoored-free-download-manager-linux-malware/110465/ ([#766](https://github.com/timb-machine/linux-malware/issues/766)) - Initial Access, Credential Access, Collection, Command and Control, https://github.com/timb-machine/linux-malware/issues/765, Free Download Manager, https://github.com/timb-machine/linux-malware/issues/816, attack:T1071.004:DNS, attack:T1105:Ingress Tool Transfer, attack:T1560.001:Archive via Utility, wltm, Linux +* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ ([#677](https://github.com/timb-machine/linux-malware/issues/677)) - Reconnaissance, Initial Access, Persistence, Defense Evasion, Discovery, Collection, Impact, attack:T1593:Search Open Websites/Domains, attack:T1190:Exploit Public-Facing Application, attack:T1078.004:Cloud Accounts, attack:T1526:Cloud Service Discovery, attack:T1619:Cloud Storage Object Discovery, attack:T1069:Permission Groups Discovery, attack:T1069.003:Cloud Groups, attack:T1602:Data from Configuration Repository, attack:T1213.003:Code Repositories, attack:T1098:Account Manipulation, attack:T1098.003:Additional Cloud Roles, attack:T1136:Create Account, attack:T1136.003:Cloud Account, attack:T1036:Masquerading, attack:T1021.004:SSH, attack:T1578:Modify Cloud Compute Infrastructure, attack:T1578.002:Create Cloud Instance, attack:T1525:Implant Internal Image, attack:T1496:Resource Hijacking, GUI-vil, Linux, Hosting, Cloud hosted services ### Supply chain attacks +* https://lwn.net/Articles/371110/ ([#291](https://github.com/timb-machine/linux-malware/issues/291)) - e107 CMS +* https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor/ ([#45](https://github.com/timb-machine/linux-malware/issues/45)) - UnrealIRCd +* https://arstechnica.com/information-technology/2012/09/questions-abound-as-malicious-phpmyadmin-backdoor-found-on-sourceforge-site/ ([#47](https://github.com/timb-machine/linux-malware/issues/47)) - PHPMyAdmin * http://www.h-online.com/open/news/item/MyBB-downloads-were-infected-1366300.html ([#292](https://github.com/timb-machine/linux-malware/issues/292)) - MyBB -* https://github.com/canonical-websites/snapcraft.io/issues/651 ([#296](https://github.com/timb-machine/linux-malware/issues/296)) - Snapcraft -* https://www.heise.de/security/meldung/Achtung-Anzeigen-Server-OpenX-enthaelt-eine-Hintertuer-1929769.html ([#295](https://github.com/timb-machine/linux-malware/issues/295)) - OpenX -* https://lirantal.medium.com/a-snyks-post-mortem-of-the-malicious-event-stream-npm-package-backdoor-40be813022bb ([#293](https://github.com/timb-machine/linux-malware/issues/293)) - event-stream -* https://blog.sonatype.com/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices ([#294](https://github.com/timb-machine/linux-malware/issues/294)) - Impact, delivery:NPM, uses:JavaScript, attack:T1195.001:Compromise Software Dependencies and Development Tools, wltm -* https://portswigger.net/daily-swig/backdoor-planted-in-php-git-repository-after-server-hack ([#48](https://github.com/timb-machine/linux-malware/issues/48)) - PHP -* https://github.com/SecurityFail/kompromat ([#813](https://github.com/timb-machine/linux-malware/issues/813)) - Credential Access, attack:T1552.004:Private Keys, Linux, HP-UX, AIX, Solaris, Internal specialist services -* https://portswigger.net/daily-swig/homebrew-bug-allowed-researcher-full-access-to-github-repos ([#290](https://github.com/timb-machine/linux-malware/issues/290)) - Homebrew -* https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/ ([#816](https://github.com/timb-machine/linux-malware/issues/816)) - Initial Access, Persistence, Credential Access, Command and Control, Free Download Manager, https://github.com/timb-machine/linux-malware/issues/765, https://github.com/timb-machine/linux-malware/issues/766, attack:T1053.003:Cron, attack:T1555.005:Password Managers, uses:Non-persistentStorage, wltm, Linux -* https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero ([#495](https://github.com/timb-machine/linux-malware/issues/495)) - Impact, delivery:PyPI, uses:Python, attack:T1620:Reflective Code Loading, attack:T1070.004:File Deletion, attack:T1195.001:Compromise Software Dependencies and Development Tools, wltm, Linux -* https://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155 ([#46](https://github.com/timb-machine/linux-malware/issues/46)) - Horde Webmail -* https://www.aldeid.com/wiki/Exploits/proftpd-1.3.3c-backdoor ([#44](https://github.com/timb-machine/linux-malware/issues/44)) - ProFTPd -* https://news.ycombinator.com/item?id=17501379 ([#525](https://github.com/timb-machine/linux-malware/issues/525)) - Linux * https://securelist.com/beware-of-backdoored-linux-mint-isos/73893/ ([#543](https://github.com/timb-machine/linux-malware/issues/543)) - Initial Access, Command and Control, Impact, Tsunami, Kaiten, Linux -* https://lists.archlinux.org/pipermail/aur-general/2018-July/034169.html ([#523](https://github.com/timb-machine/linux-malware/issues/523)) - https://github.com/timb-machine/linux-malware/issues/525, wltm, Linux * https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html ([#49](https://github.com/timb-machine/linux-malware/issues/49)) - VsFTPd +* https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/ ([#816](https://github.com/timb-machine/linux-malware/issues/816)) - Initial Access, Persistence, Credential Access, Command and Control, Free Download Manager, https://github.com/timb-machine/linux-malware/issues/765, https://github.com/timb-machine/linux-malware/issues/766, attack:T1053.003:Cron, attack:T1555.005:Password Managers, uses:Non-persistentStorage, wltm, Linux +* https://github.com/SecurityFail/kompromat ([#813](https://github.com/timb-machine/linux-malware/issues/813)) - Credential Access, attack:T1552.004:Private Keys, Linux, HP-UX, AIX, Solaris, Internal specialist services +* https://github.com/canonical-websites/snapcraft.io/issues/651 ([#296](https://github.com/timb-machine/linux-malware/issues/296)) - Snapcraft +* https://portswigger.net/daily-swig/backdoor-planted-in-php-git-repository-after-server-hack ([#48](https://github.com/timb-machine/linux-malware/issues/48)) - PHP * https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/ ([#787](https://github.com/timb-machine/linux-malware/issues/787)) - Initial Access, Discovery, Command and Control, delivery:NPM, attack:T1195.001:Compromise Software Dependencies and Development Tools, attack:T1082:System Information Discovery, Linux +* https://lists.archlinux.org/pipermail/aur-general/2018-July/034169.html ([#523](https://github.com/timb-machine/linux-malware/issues/523)) - https://github.com/timb-machine/linux-malware/issues/525, wltm, Linux * https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain/ ([#289](https://github.com/timb-machine/linux-malware/issues/289)) - "Octopus Scanner" (Netbeans) attack -* https://lwn.net/Articles/371110/ ([#291](https://github.com/timb-machine/linux-malware/issues/291)) - e107 CMS +* https://www.aldeid.com/wiki/Exploits/proftpd-1.3.3c-backdoor ([#44](https://github.com/timb-machine/linux-malware/issues/44)) - ProFTPd * https://www.webmin.com/exploit.html ([#43](https://github.com/timb-machine/linux-malware/issues/43)) - Webmin -* https://arstechnica.com/information-technology/2012/09/questions-abound-as-malicious-phpmyadmin-backdoor-found-on-sourceforge-site/ ([#47](https://github.com/timb-machine/linux-malware/issues/47)) - PHPMyAdmin -* https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor/ ([#45](https://github.com/timb-machine/linux-malware/issues/45)) - UnrealIRCd +* https://www.heise.de/security/meldung/Achtung-Anzeigen-Server-OpenX-enthaelt-eine-Hintertuer-1929769.html ([#295](https://github.com/timb-machine/linux-malware/issues/295)) - OpenX +* https://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155 ([#46](https://github.com/timb-machine/linux-malware/issues/46)) - Horde Webmail +* https://portswigger.net/daily-swig/homebrew-bug-allowed-researcher-full-access-to-github-repos ([#290](https://github.com/timb-machine/linux-malware/issues/290)) - Homebrew +* https://blog.sonatype.com/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices ([#294](https://github.com/timb-machine/linux-malware/issues/294)) - Impact, delivery:NPM, uses:JavaScript, attack:T1195.001:Compromise Software Dependencies and Development Tools, wltm +* https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero ([#495](https://github.com/timb-machine/linux-malware/issues/495)) - Impact, delivery:PyPI, uses:Python, attack:T1620:Reflective Code Loading, attack:T1070.004:File Deletion, attack:T1195.001:Compromise Software Dependencies and Development Tools, wltm, Linux +* https://news.ycombinator.com/item?id=17501379 ([#525](https://github.com/timb-machine/linux-malware/issues/525)) - Linux +* https://lirantal.medium.com/a-snyks-post-mortem-of-the-malicious-event-stream-npm-package-backdoor-40be813022bb ([#293](https://github.com/timb-machine/linux-malware/issues/293)) - event-stream ### Malware reports -* https://zhuanlan.zhihu.com/p/348960748 ([#403](https://github.com/timb-machine/linux-malware/issues/403)) - Impact, Command and Control, Lateral Movement, Persistence, Cloud Shovel -* https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors ([#729](https://github.com/timb-machine/linux-malware/issues/729)) - Persistence, Command and Control, SEASPY, https://github.com/timb-machine/linux-malware/issues/730, SUBMARINE, https://github.com/timb-machine/linux-malware/issues/731, Linux -* https://blog.polyswarm.io/darkangels-linux-ransomware ([#666](https://github.com/timb-machine/linux-malware/issues/666)) - Impact, attack:T1486:Data Encrypted for Impact, DarkAngels, wltm, Linux -* https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-docker-control-api-and-community-image-abused-to-deliver-cryptocurrency-mining-malware/ ([#344](https://github.com/timb-machine/linux-malware/issues/344)) - NGrok -* https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/ ([#526](https://github.com/timb-machine/linux-malware/issues/526)) - Metador, wltm, Linux -* https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks ([#8](https://github.com/timb-machine/linux-malware/issues/8)) - Credential Access, Defense Evasion, Discovery, Lateral Movement, Collection, Command and Control, Impact, vertical:Telecomms, attack:T1573.001:Symmetric Cryptography, attack:T1590:Gather Victim Network Information, attack:T1562.004:Disable or Modify System Firewall, attack:T1048.001:Exfiltration Over Unencrypted Non-C2 Protocol, attack:T1021.004:SSH, attack:T1037.004:RC Scripts, attack:T1090.001:Internal Proxy, attack:T1090.002:External Proxy, attack:T1110.003:Password Spraying, https://github.com/timb-machine/linux-malware/issues/134, SLAPSTICK, STEELCORGI, PingPong, TINYSHELL, CordScan, SIGTRANslator, Fast Reverse Proxy, Microsocks Proxy, ProxyChains, LightBasin, UNC1945, Solaris, Linux, Telecomms, Internal specialist services, Enclave deployment -* https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ ([#314](https://github.com/timb-machine/linux-malware/issues/314)) - Gafgyt -* https://twitter.com/CraigHRowland/status/1422267857988063232 ([#354](https://github.com/timb-machine/linux-malware/issues/354)) - ITTS -* https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html ([#698](https://github.com/timb-machine/linux-malware/issues/698)) - Impact, BlackSuit, Linux -* https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html ([#563](https://github.com/timb-machine/linux-malware/issues/563)) - Command and Control, uses:Go, Alchemist, [/malware/binaries/Alchimist](../../tree/main/malware/binaries/Alchimist), https://github.com/timb-machine/linux-malware/issues/564, Sysrv?, Linux -* https://cert.gov.ua/article/4501891 ([#651](https://github.com/timb-machine/linux-malware/issues/651)) - Impact, attack:T1485:Data Destruction, Sandworm, Linux, Industrial -* https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/ ([#307](https://github.com/timb-machine/linux-malware/issues/307)) - QNAPCrypt, eCh0raix -* https://imgur.com/a/a6RaZMP ([#87](https://github.com/timb-machine/linux-malware/issues/87)) - Honda Car's Panel's Rootkit from China #Android (by malwaremustdie.org) -* https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf ([#345](https://github.com/timb-machine/linux-malware/issues/345)) - WellMail (APT29) -* https://imgur.com/a/Ak9zICq ([#367](https://github.com/timb-machine/linux-malware/issues/367)) - Neko (by malwaremustdie.org) -* https://twitter.com/billyleonard/status/1458531997576572929 ([#480](https://github.com/timb-machine/linux-malware/issues/480)) - Rekoobe, TSH, TINYSHELL, https://github.com/timb-machine/linux-malware/issues/481, APT31, Linux -* https://imgur.com/a/qqgfFXf ([#60](https://github.com/timb-machine/linux-malware/issues/60)) - Mirai (by malwaremustdie.org) -* https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ ([#297](https://github.com/timb-machine/linux-malware/issues/297)) - FreakOut -* https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html ([#397](https://github.com/timb-machine/linux-malware/issues/397)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1574.006:Dynamic Linker Hijacking, attack:T1205.002:Socket Filtering, Umbreon -* https://threatfabric.com/blogs/vultur-v-for-vnc.html ([#379](https://github.com/timb-machine/linux-malware/issues/379)) - Vultur, Brunhilda, #Android -* https://www.cadosecurity.com/redis-p2pinfect/ ([#741](https://github.com/timb-machine/linux-malware/issues/741)) - Initial Access, Linux -* https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability ([#337](https://github.com/timb-machine/linux-malware/issues/337)) - Impact, Persistence, Impact, KinSing -* https://www.sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/ ([#402](https://github.com/timb-machine/linux-malware/issues/402)) - Cloud Shovel -* https://twitter.com/billyleonard/status/1417910729005490177 ([#69](https://github.com/timb-machine/linux-malware/issues/69)) - https://github.com/timb-machine/linux-malware/issues/329, https://github.com/timb-machine/linux-malware/issues/131, Zirconium, APT31 -* https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/ ([#325](https://github.com/timb-machine/linux-malware/issues/325)) - RedXOR -* https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/ ([#56](https://github.com/timb-machine/linux-malware/issues/56)) - LemonDuck -* https://securelist.com/the-penquin-turla-2/67962/ ([#593](https://github.com/timb-machine/linux-malware/issues/593)) - Persistence, Defense Evasion, Command and Control, Penquin, Turla, Linux -* https://csirt.egi.eu/attacks-on-multiple-hpc-sites/ ([#376](https://github.com/timb-machine/linux-malware/issues/376)) - HPC -* https://www.gosecure.net/blog/2018/02/14/chaos-a-stolen-backdoor-rising/ ([#395](https://github.com/timb-machine/linux-malware/issues/395)) - uses:Go, Chaos (sebd), [/malware/binaries/Chaos](../../tree/main/malware/binaries/Chaos) -* https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf ([#625](https://github.com/timb-machine/linux-malware/issues/625)) - Defense Evasion, Command and Control, attack:T1071:Application Layer Protocol, attack:T1071.001:Web Protocols, attack:T1092:Communication Through Removable Media, attack:T1027.002:Software Packing, KEYPLUG, RedGolf, Linux -* https://sansec.io/research/ecommerce-malware-linux-avp ([#396](https://github.com/timb-machine/linux-malware/issues/396)) - linux_avp, Comma -* https://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/ ([#348](https://github.com/timb-machine/linux-malware/issues/348)) - Rakos -* https://twitter.com/tolisec/status/1507854421618839564 ([#116](https://github.com/timb-machine/linux-malware/issues/116)) - Impact, KinSing -* https://blog.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies ([#496](https://github.com/timb-machine/linux-malware/issues/496)) - Impact, attack:T1486:Data Encrypted for Impact, region:South Korea, vertical:Pharmaceutical, Gwisin, wltm, Linux, VMware, Industrial, Internal specialist services -* https://blog.exatrack.com/melofee/ ([#620](https://github.com/timb-machine/linux-malware/issues/620)) - Reconnaissance, Resource Development, Execution, Persistence, Privilege Escalation, Defense Evasion, Discovery, Command and Control, attack:T1583.001:Domains, attack:T5183.004:Server, attack:T1071.001:Web Protocols, attack:T1587.001:Malware, attack:T1037.004:RC Scripts, attack:T1059.004:Unix Shell, attack:T1132.002:Non-Standard Encoding, attack:T1573.001:Symmetric Cryptography, attack:T1083:File and Directory Discovery, attack:T1592.002:Software, attack:T1564.001:Hidden Files and Directories, attack:T1562.003:Impair Command History Logging, attack:T1070.004:File Deletion, attack:T1599.001:Network Address Translation Traversal, attack:T1095:Non-Application Layer Protocol, attack:T1571:Non-Standard Port, attack:T1027.002:Software Packing, attack:T1027.007:Dynamic API Resolution, attack:T1588.001:Malware, attack:T1588.002:Tool, attack:T1057:Process Discovery, attack:T1572:Protocol Tunneling, attack:T1090:Proxy, attack:T1014:Rootkit, attack:T1608.001:Upload Malware, attack:T1608.002:Upload Tool, attack:T1082:System Information Discovery, attack:T1497.003:Time Based Evasion, Melofee, HelloBot, Linux -* https://news.drweb.com/show/?i=14646&lng=en&c=23 ([#602](https://github.com/timb-machine/linux-malware/issues/602)) - Initial Access, Command and Control, WordPressExploit, Linux -* https://www.trendmicro.com/en_gb/research/19/f/cryptocurrency-mining-botnet-arrives-through-adb-and-spreads-through-ssh.html ([#55](https://github.com/timb-machine/linux-malware/issues/55)) - CoinMiner -* https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/ ([#350](https://github.com/timb-machine/linux-malware/issues/350)) - Stantinkos -* https://twitter.com/malwaremustd1e/status/1379028201075187716 ([#365](https://github.com/timb-machine/linux-malware/issues/365)) - DGAbot (by malwaremustdie.org) -* https://x.com/haxrob/status/1762821513680732222 ([#810](https://github.com/timb-machine/linux-malware/issues/810)) - Command and Control, attack:T1071:Application Layer Protocol, attack:T1572:Protocol Tunneling, GTPDOOR, wltm, Linux, Telecomms, Internal specialist services -* https://blog.xlab.qianxin.com/mirai-tbot-en/ ([#788](https://github.com/timb-machine/linux-malware/issues/788)) - Initial Access, Command and Control, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1133:External Remote Services, attack:T1078:Valid Accounts, attack:T1498:Network Denial of Service, attack:T1027:Obfuscated Files or Information, Mirai, TBOT, Linux, IOT -* https://twitter.com/sethkinghi/status/1397814848549900288 ([#717](https://github.com/timb-machine/linux-malware/issues/717)) - Defense Evasion, attack:T1480.001:Environmental Keying, AVrecon, Linux, IOT -* https://asec.ahnlab.com/en/50316/ ([#621](https://github.com/timb-machine/linux-malware/issues/621)) - Defense Evasion, Discovery, Command and Control, Impact, attack:T1036.005:Match Legitimate Name or Location, attack:T1499:Endpoint Denial of Service, attack:T1082:System Information Discovery, attack:T1095:Non-Application Layer Protocol, uses:ProcessTreeSpoofing, uses:Non-persistentStorage, uses:RedirectionToNull, DDoSClient, ChinaZ, Linux -* https://imgur.com/a/2zRCt ([#318](https://github.com/timb-machine/linux-malware/issues/318)) - Gafgyt (by malwaremustdie.org) -* https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html ([#59](https://github.com/timb-machine/linux-malware/issues/59)) - Mirai (by malwaremustdie.org) -* https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html ([#58](https://github.com/timb-machine/linux-malware/issues/58)) - Mirai (by malwaremustdie.org) -* https://cybersec84.wordpress.com/2023/08/15/monti-ransomware-operators-resurface-with-new-linux-variant-improved-evasion-tactics/ ([#753](https://github.com/timb-machine/linux-malware/issues/753)) - Defense Evasion, Impact, attack:T1486:Data Encrypted for Impact, attack:T1480:Execution Guardrails, wltm, Monti, Linux, VMware -* https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html ([#501](https://github.com/timb-machine/linux-malware/issues/501)) - Initial Access, Command and Control, uses:MiMi, uses:ElectronJS, rshell, wltm, Iron Tiger, Emissary Panda, APT27, Bronze Union, LuckyMouse, Linux, Collaboration across enterprise boundaries, Device application sandboxing -* https://twitter.com/timb_machine/status/1450595881732947968 ([#66](https://github.com/timb-machine/linux-malware/issues/66)) - https://github.com/timb-machine/linux-malware/issues/134, LightBasin, UNC1945, Solaris -* https://www.stormshield.com/news/orbit-analysis-of-a-linux-dedicated-malware/ ([#601](https://github.com/timb-machine/linux-malware/issues/601)) - Persistence, Privilege Escalation, OrBit, [/malware/binaries/OrBit](../../tree/main/malware/binaries/OrBit), Linux -* https://securelist.com/a-bad-luck-blackcat/106254/?_sp=3b4159db-9e20-4bfa-a47f-f8671b594d75.1649770307513 ([#118](https://github.com/timb-machine/linux-malware/issues/118)) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512 -* https://cybersecurity.att.com/blogs/labs-research/internet-of-termites ([#517](https://github.com/timb-machine/linux-malware/issues/517)) - Command and Control, Exfiltration, Termite, EarthWorm, Earthwrom, Linux -* https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf ([#407](https://github.com/timb-machine/linux-malware/issues/407)) - Impact, attack:T1567:Financial Theft, https://github.com/timb-machine/linux-malware/issues/135, FastCash, HiddenCobra, Lazarus, APT38, AIX, Banking, Internal specialist services -* https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF ([#67](https://github.com/timb-machine/linux-malware/issues/67)) - Drovorub -* https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html ([#789](https://github.com/timb-machine/linux-malware/issues/789)) - Defense Evasion, Discovery, Command and Control, attack:T1090:Proxy, uses:ProcessTreeSpoofing, attack:T1027:Obfuscated Files or Information, attack:T1082:System Information Discovery, SprySOCKS, Mandibule, https://github.com/timb-machine/linux-malware/issues/170, Earth Lusca, Linux -* https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html ([#490](https://github.com/timb-machine/linux-malware/issues/490)) - uses:Go, Manjusaka, Linux -* https://pastebin.com/raw/mEape37E ([#355](https://github.com/timb-machine/linux-malware/issues/355)) - SystemTen (by malwaremustdie.org) -* https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ ([#700](https://github.com/timb-machine/linux-malware/issues/700)) - Persistence, Defense Evasion, Credential Access, Discovery, Impact, attack:T1110:Brute Force, uses:SHC, attack:T1057:Process Discovery, attack::T1003.008:/etc/passwd and /etc/shadow, attack:T1098.004:SSH Authorized Keys, attack:T1556:Modify Authentication Process, Reptile, https://github.com/timb-machine/linux-malware/issues/171, Diamorphine, https://github.com/timb-machine/linux-malware/issues/217, ZiggyStarTux, https://github.com/timb-machine/linux-malware/issues/701, Linux, IOT, Consumer -* https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game ([#658](https://github.com/timb-machine/linux-malware/issues/658)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, attack:T1573:Encrypted Channel, attack:T1106:Native API, BPFDoor, [/malware/binaries/BPFDoor](../../tree/main/malware/binaries/BPFDoor), Linux -* https://twitter.com/ESETresearch/status/1415542456360263682 ([#368](https://github.com/timb-machine/linux-malware/issues/368)) - ?, #FreeBSD -* https://www.akamai.com/blog/security/new-p2p-botnet-panchan ([#476](https://github.com/timb-machine/linux-malware/issues/476)) - Pan-chan, https://github.com/timb-machine/linux-malware/issues/477, Linux -* https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign ([#727](https://github.com/timb-machine/linux-malware/issues/727)) - Initial Access, Command and Control, Impact, XMRig, Linux -* https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ ([#716](https://github.com/timb-machine/linux-malware/issues/716)) - Defense Evasion, Credential Access, Discovery, Command and Control, attack:T1110.003:Password Spraying, attack:T1057:Process Discovery, attack:T1082:System Information Discovery, attack:T1480.001:Environmental Keying, attack:T1573:Encrypted Channel, AVrecon, https://github.com/timb-machine/linux-malware/issues/717, Linux, IOT -* https://twitter.com/malwaremustd1e/status/1251758225919115264 ([#361](https://github.com/timb-machine/linux-malware/issues/361)) - Persistence, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux -* https://securityboulevard.com/2021/04/detect-c2-redxor-with-state-based-functionality/ ([#548](https://github.com/timb-machine/linux-malware/issues/548)) - Command and Control, Exfiltration, https://github.com/timb-machine/linux-malware/issues/325, RedXOR, Linux -* https://imgur.com/a/y5BRx ([#86](https://github.com/timb-machine/linux-malware/issues/86)) - r57shell (by malwaremustdie.org) -* https://github.com/blackberry/threat-research-and-intelligence/raw/main/Talks/2023-01-30%20-%20SANS%20Cyber%20Threat%20Intelligence%20Summit%20%26%20Training%202023/Pedro%20Drimel%2C%20Jose%20Luis%20Sanchez%20Martinez%20-%20Practical%20CTI%20Analysis%20Over%202022%20ITW%20Linux%20Implants.pdf ([#613](https://github.com/timb-machine/linux-malware/issues/613)) -* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf ([#99](https://github.com/timb-machine/linux-malware/issues/99)) - Persistence, Command and Control, attack:T1205:Traffic Signaling, attack:T1205.002:Socket Filters, attack:T1573.002:Symmetric Cryptography, attack:T1573.002:Asymmetric Cryptography, attack:T1082:System Information Discovery, attack:T1547.006:Kernel Modules and Extensions, Bvp47, dewdrop, tipoff, StoicSurgeon, Incision, Equation Group, Linux, Solaris, FreeBSD -* https://int0x33.medium.com/day-27-tiny-shell-48df6abb0d5d ([#616](https://github.com/timb-machine/linux-malware/issues/616)) - Command and Control, TSH, TINYSHELL, https://github.com/timb-machine/linux-malware/issues/481 -* https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group ([#790](https://github.com/timb-machine/linux-malware/issues/790)) - Initial Access, Execution, Discovery, Lateral Movement, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1059.004:Unix Shell, attack:T1072:Software Deployment Tools, attack:T1083:File and Directory Discovery, attack:T1082:System Information Discovery, attack:T1485:Data Destruction, BiBi-Linux, Linux -* https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits ([#392](https://github.com/timb-machine/linux-malware/issues/392)) - Botenago -* https://www.virusbulletin.com/virusbulletin/2014/07/mayhem-hidden-threat-nix-web-servers ([#382](https://github.com/timb-machine/linux-malware/issues/382)) - Mayhem -* https://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/ ([#303](https://github.com/timb-machine/linux-malware/issues/303)) - DarkRadiation -* https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ ([#339](https://github.com/timb-machine/linux-malware/issues/339)) - Kaiji -* https://www.virustotal.com/gui/file/bf3ebc294870a6e743f021f4e18be75810149a1004b8d7c8a1e91f35562db3f5/detection ([#644](https://github.com/timb-machine/linux-malware/issues/644)) - Impact, attack:T1486:Data Encrypted for Impact, LockBit, [/malware/binaries/Multios.Ransomware.Lockbit](../../tree/main/malware/binaries/Multios.Ransomware.Lockbit), Linux -* https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/ ([#444](https://github.com/timb-machine/linux-malware/issues/444)) - EnemyBot, Linux -* https://sansec.io/research/cronrat ([#399](https://github.com/timb-machine/linux-malware/issues/399)) - Defense Evasion, Command and Control, uses:Non-persistentStorage, attack:T1053.003:Cron, attack:T1027:Obfuscated Files or Information, attack:T1001.003:Protocol Impersonation, attack:T1036.005:Match Legitimate Name or Location, vertical:Retail, CronRAT, wltm, Linux -* https://darrenmartyn.ie/2021/11/29/analysis-of-the-lib__mdma-so-1-userland-rootkit/ ([#401](https://github.com/timb-machine/linux-malware/issues/401)) - Persistence, Defense Evasion, https://github.com/timb-machine/linux-malware/issues/530, lib__mdma -* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ ([#770](https://github.com/timb-machine/linux-malware/issues/770)) - Initial Access, Persistence, Defense Evasion, Impact, uses:ProcessTreeSpoofing, uses:TamperedPS, uses:Python, attack:T1140:Deobfuscate/Decode Files or Information, attack:T1496:Resource Hijacking, attack:T1547.006:Kernel Modules and Extensions, attack:T1574.006:Dynamic Linker Hijacking, XHide, XMRig, Diamorphine, libprocesshider, Kiss-a-Dog, Linux, Cloud hosted services -* https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/ ([#656](https://github.com/timb-machine/linux-malware/issues/656)) - Impact, attack:T1486:Data Encrypted for Impact, Cl0p, wltm, Linux, Internal enterprise services -* https://twitter.com/IntezerLabs/status/1291355808811409408 ([#346](https://github.com/timb-machine/linux-malware/issues/346)) - Carbanak -* https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ ([#678](https://github.com/timb-machine/linux-malware/issues/678)) - Reconnaissance, Initial Access, Persistence, Privilege Escalation, Defense Evasion, attack:T1594:Search Victim-Owned Websites, attack:T1589:Gather Victim Identity Information, attack:T1589.001:Credentials, attack:T1133:External Remote Services, attack:T1078:Valid Accounts, Legion, wltm, Linux, Cloud hosted services -* https://cujo.com/threat-alert-krane-malware/ ([#391](https://github.com/timb-machine/linux-malware/issues/391)) - Initial Access, Persistence, Defense Evasion, Impact, attack:T1110.003:Password Spraying, attack:T098:Account Manipulation, attack:T1105:Ingress Tool Transfer, attack:T1562.003:Impair Command History Logging, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1082:System Information Discovery, attack:T1018:Remote System Discovery, attack:T1021:Remote Services, uses:Non-persistentStorage, Krane, wltm -* https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/ ([#311](https://github.com/timb-machine/linux-malware/issues/311)) - HelloKitty -* https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/ ([#91](https://github.com/timb-machine/linux-malware/issues/91)) - Muhstik -* https://twitter.com/malwaremustd1e/status/1265321238383099904 ([#317](https://github.com/timb-machine/linux-malware/issues/317)) - Gafgyt (by malwaremustdie.org) -* https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 ([#612](https://github.com/timb-machine/linux-malware/issues/612)) - Defense Evasion, Persistence, attack:T1547.006:Kernel Modules and Extensions -* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ ([#90](https://github.com/timb-machine/linux-malware/issues/90)) - Impact, uses:k8s, uses:Non-persistentStorage, attack:T1190:Exploit Public-Facing Application, attack:T1505.003:Web Shell, attack:T1105:Ingress Tool Transfer, attack:T1053.003:Cron, attack:T1037.004:RC Scripts, Muhstik, wltm -* https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ ([#371](https://github.com/timb-machine/linux-malware/issues/371)) - Ebury -* https://haxrob.net/fastcash-for-linux/ ([#815](https://github.com/timb-machine/linux-malware/issues/815)) - Persistence, Privilege Escalation, Defense Evasion, Impact, attack:T1565.002:Transmitted Data Manipulation, attack:T1055:Process Injection, attack:T1055.009:Proc Memory, attack:T1564.001:Hidden Files and Directories, attack:T1574:Hijack Execution Flow, attack:T1567:Financial Theft, attack:T1027.002:Software Packing, uses:Non-persistentStorage, attack:T1027.013:Encrypted/Encoded File, FastCash, https://github.com/timb-machine/linux-malware/issues/407, https://github.com/timb-machine/linux-malware/issues/312, https://github.com/timb-machine/linux-malware/issues/135, wltm, Linux, Banking, Internal specialist services -* https://imgur.com/a/CtHlmBE ([#82](https://github.com/timb-machine/linux-malware/issues/82)) - Persistence, Command and Control, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux -* https://vms.drweb.com/virus/?i=21004786 ([#433](https://github.com/timb-machine/linux-malware/issues/433)) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux -* https://asec.ahnlab.com/ko/55070/ ([#709](https://github.com/timb-machine/linux-malware/issues/709)) - Command and Control, Defense Evasion, https://github.com/timb-machine/linux-malware/issues/722, attack:T1036.005:Match Legitimate Name or Location, attack:T1573.001:Symmetric Encryption, uses:ProcessTreeSpoofing, Rekoobe, TINYSHELL, APT31, Linux, Solaris -* https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 ([#702](https://github.com/timb-machine/linux-malware/issues/702)) - Initial Access, Discovery, Command and Control, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1057:Process Discovery, attack:T1498:Network Denial of Service, Condi, Linux, IOT * https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery ([#488](https://github.com/timb-machine/linux-malware/issues/488)) - Initial Access, Lateral Movement, Impact, RapperBot, [/malware/binaries/RapperBot](../../tree/main/malware/binaries/RapperBot), Linux -* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ ([#643](https://github.com/timb-machine/linux-malware/issues/643)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, attack:T1573:Encrypted Channel, attack:T1106:Native API, attack:T1059.004: Unix Shell, attack:T1070.004:File Deletion, attack:T1036.004:Masquerade Task or Service, attack:T1070.006:Timestomp, uses:RedirectionToNull, uses:Non-persistentStorage, attack:T1036.005:Match Legitimate Name or Location, uses:ProcessTreeSpoofing, attack:T1562.004:Disable or Modify System Firewall, BPFDoor, [/malware/binaries/BPFDoor](../../tree/main/malware/binaries/BPFDoor), Unix.Backdoor.RedMenshen, Linux, Solaris -* https://twitter.com/ESETresearch/status/1454100591261667329?s=20 ([#390](https://github.com/timb-machine/linux-malware/issues/390)) - Hive -* https://www.varonis.com/blog/alphv-blackcat-ransomware ([#109](https://github.com/timb-machine/linux-malware/issues/109)) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512 -* http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf ([#349](https://github.com/timb-machine/linux-malware/issues/349)) - Moose -* http://www.cverc.org.cn/head/zhaiyao/news20220218-1.htm ([#113](https://github.com/timb-machine/linux-malware/issues/113)) - NOPEN -* https://imgur.com/a/DWKK5 ([#84](https://github.com/timb-machine/linux-malware/issues/84)) - Persistence, Command and Control, Tsunami, Kaiten (by malwaremustdie.org), Linux -* https://github.com/akamai/akamai-security-research/tree/main/malware/panchan ([#477](https://github.com/timb-machine/linux-malware/issues/477)) - Pan-chan, [/malware/binaries/pan-chan](../../tree/main/malware/binaries/pan-chan), Linux -* https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt ([#320](https://github.com/timb-machine/linux-malware/issues/320)) - Gafgyt -* https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ ([#98](https://github.com/timb-machine/linux-malware/issues/98)) - Persistence, Defense Evasion, Command and Control, RotaJakiro, wltm -* https://analyze.intezer.com/files/9b48822bd6065a2ad2c6972003920f713fe2cb750ec13a886efee7b570c111a5 ([#106](https://github.com/timb-machine/linux-malware/issues/106)) - Specter, SideWalk, StageClient, wltm -* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered ([#693](https://github.com/timb-machine/linux-malware/issues/693)) - Persistence, Defense Evasion, Discovery, Command and Control, attack:T1037.004:RC Scripts, attack:T1543.002:Systemd Service , attack:T1036:Masquerading: Match Legitimate Name or Location , attack:T1070.004:File Deletion , attack:T1222:File and Directory Permissions Modification , attack:T1564.001:Hidden Files and Directories , attack:T1082:System Information Discovery , attack:T1057:Process Discovery , attack:T1071.004:DNS, Sotdas, Linux -* https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/ ([#360](https://github.com/timb-machine/linux-malware/issues/360)) - Rhombus (by malwaremustdie.org) * https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/ ([#565](https://github.com/timb-machine/linux-malware/issues/565)) - Initial Access, Lateral Movement, Impact, https://github.com/timb-machine/linux-malware/issues/566, Sysrv, wltm, Linux, Internal enterprise services -* https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads ([#723](https://github.com/timb-machine/linux-malware/issues/723)) - Defense Evasion, Command and Control, Impact, uses:Python, attack:T1496:Resource Hijacking, attack:T1620:Reflective Code Loading, attack:T1102:Web Service, attack:T1190:Exploit Public-Facing Application, attack:T1105:Ingress Tool Transfer, attack:T1140:Deobfuscate/Decode Files or Information, attack:T1027.002:Software Packing, uses:Non-persistentStorage, PyLoose, XMRig, Linux -* https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ ([#516](https://github.com/timb-machine/linux-malware/issues/516)) - Resource Development, Discovery, Command and Control, attack:T1587.001:Malware, attack:T1016:System Network Configuration Discovery, attack:T1071.001:Web Protocols, attack:T1573.001:Symmetric Cryptography, SideWalk, wltm, SparklingGoblin, Linux -* https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/kessel-dns-exfiltration-2/ ([#372](https://github.com/timb-machine/linux-malware/issues/372)) - Kessel +* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 ([#803](https://github.com/timb-machine/linux-malware/issues/803)) - Defense Evasion, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, uses:Non-persistentStorage, attack:T1070.006:Timestomp, attack:T1070.004:File Deletion, BPFDoor, [/malware/binaries/BPFDoor](../../tree/main/malware/binaries/BPFDoor), wltm, Linux +* https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits ([#392](https://github.com/timb-machine/linux-malware/issues/392)) - Botenago +* https://twitter.com/_larry0/status/1143532888538984448 ([#51](https://github.com/timb-machine/linux-malware/issues/51)) - Silex +* https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ ([#404](https://github.com/timb-machine/linux-malware/issues/404)) - Hildegard, TeamTNT +* http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf ([#349](https://github.com/timb-machine/linux-malware/issues/349)) - Moose +* https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ ([#373](https://github.com/timb-machine/linux-malware/issues/373)) - Initial Access, Persistence, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1505.003:Web Shell, Prophet Spider, Linux +* https://twitter.com/IntezerLabs/status/1272915284148531200 ([#341](https://github.com/timb-machine/linux-malware/issues/341)) - Lazarus +* https://blog.malwarebytes.com/cybercrime/2022/03/a-new-rootkit-comes-to-an-atm-near-you/ ([#120](https://github.com/timb-machine/linux-malware/issues/120)) - CAKETAP, UNC2891, Solaris +* https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ ([#700](https://github.com/timb-machine/linux-malware/issues/700)) - Persistence, Defense Evasion, Credential Access, Discovery, Impact, attack:T1110:Brute Force, uses:SHC, attack:T1057:Process Discovery, attack::T1003.008:/etc/passwd and /etc/shadow, attack:T1098.004:SSH Authorized Keys, attack:T1556:Modify Authentication Process, Reptile, https://github.com/timb-machine/linux-malware/issues/171, Diamorphine, https://github.com/timb-machine/linux-malware/issues/217, ZiggyStarTux, https://github.com/timb-machine/linux-malware/issues/701, Linux, IOT, Consumer +* https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/ ([#91](https://github.com/timb-machine/linux-malware/issues/91)) - Muhstik +* https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware ([#107](https://github.com/timb-machine/linux-malware/issues/107)) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512 +* https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html ([#102](https://github.com/timb-machine/linux-malware/issues/102)) - Impact, attack:T1486:Data Encrypted for Impact, LockBit, Linux, VMware, Internal enterprise services, Internal specialist services +* https://www.cisa.gov/news-events/analysis-reports/ar23-209a ([#731](https://github.com/timb-machine/linux-malware/issues/731)) - Persistence, https://github.com/timb-machine/linux-malware/issues/729, SUBMARINE, wltm, Linux * https://unit42.paloaltonetworks.com/pgminer-postgresql-cryptocurrency-mining-botnet/ ([#351](https://github.com/timb-machine/linux-malware/issues/351)) - PGMiner +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ ([#468](https://github.com/timb-machine/linux-malware/issues/468)) - Persistence, Defense Evasion, uses:LD_PRELOAD, attack:T1574.006:Dynamic Linker Hijacking, attack:T1548.001:Setuid and Setgid, attack:T1556.003:Pluggable Authentication Modules, attack:T1027:Obfuscated Files or Information, attack:T1082:System Information Discovery, attack:T1562.001:Disable or Modify Tools, attack:T1003.007:Proc Filesystem, attack:T1563.001:SSH Hijacking, uses:PortHiding, uses:Non-persistentStorage, OrBit, [/malware/binaries/OrBit](../../tree/main/malware/binaries/OrBit), Linux +* https://www.intezer.com/blog/research/acbackdoor-analysis-of-a-new-multiplatform-backdoor/ ([#549](https://github.com/timb-machine/linux-malware/issues/549)) - ACBackdoor, wltm, Linux +* https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html ([#397](https://github.com/timb-machine/linux-malware/issues/397)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1574.006:Dynamic Linker Hijacking, attack:T1205.002:Socket Filtering, Umbreon +* https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game ([#658](https://github.com/timb-machine/linux-malware/issues/658)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, attack:T1573:Encrypted Channel, attack:T1106:Native API, BPFDoor, [/malware/binaries/BPFDoor](../../tree/main/malware/binaries/BPFDoor), Linux +* https://mp-weixin-qq-com.translate.goog/s/pd6fUs5TLdBtwUHauclDOQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp ([#588](https://github.com/timb-machine/linux-malware/issues/588)) - Persistence, Defense Evasion, Command and Control, attack:T1027:Obfuscated Files or Information, caja, wltm, Linux * https://pastebin.com/iKyaqLTd ([#88](https://github.com/timb-machine/linux-malware/issues/88)) - Exaramel, BlackEnergy, #ICS (by malwaremustdie.org) -* https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials ([#50](https://github.com/timb-machine/linux-malware/issues/50)) - TeamTNT -* https://s.tencent.com/research/report/1177.html ([#384](https://github.com/timb-machine/linux-malware/issues/384)) -* https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/ ([#459](https://github.com/timb-machine/linux-malware/issues/459)) - Persistence, Defense Evasion, Linux -* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware ([#814](https://github.com/timb-machine/linux-malware/issues/814)) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:Non-persistentStorage, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, attack:T1037.004:RC Scripts, attack:T1098.004: SSH Authorized Keys, exploit:CVE-2023-35829, https://github.com/timb-machine/linux-malware/issues/710, https://github.com/timb-machine/linux-malware/issues/711, https://github.com/timb-machine/linux-malware/issues/724, Linux -* https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoing-wordpress-malware-campaign.html ([#637](https://github.com/timb-machine/linux-malware/issues/637)) - Initial Access, Balada, Linux, Hosting, Consumer, Cloud hosted services -* http://www.foo.be/cours/dess-20042005/report/bigwar.html#sc ([#386](https://github.com/timb-machine/linux-malware/issues/386)) - sc (similar code to luckscan) -* https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html ([#57](https://github.com/timb-machine/linux-malware/issues/57)) - Mirai (by malwaremustdie.org) -* https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/ ([#105](https://github.com/timb-machine/linux-malware/issues/105)) - Specter, SideWalk, StageClient -* https://www.intezer.com/blog/malware-analysis/linux-rekoobe-operating-with-new-undetected-malware-samples/ ([#479](https://github.com/timb-machine/linux-malware/issues/479)) - Rekoobe, APT31, Linux -* https://blog.talosintelligence.com/2018/06/vpnfilter-update.html ([#54](https://github.com/timb-machine/linux-malware/issues/54)) - VPNFilter -* https://twitter.com/malwaremustd1e/status/1380637310346096641 ([#364](https://github.com/timb-machine/linux-malware/issues/364)) - Ngioweb (by malwaremustdie.org) -* https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/ ([#471](https://github.com/timb-machine/linux-malware/issues/471)) - HiddenWasp, Linux -* https://asec.ahnlab.com/en/49769/ ([#624](https://github.com/timb-machine/linux-malware/issues/624)) - Initial Access, Command and Control, Impact, attack:T1078:Valid Accounts, attack:T1071.001:Web Protocols, attack:T1499:Endpoint Denial of Service, attack:T1105:Ingress Tool Transfer, ShellBot, Linux, Consumer -* https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf ([#312](https://github.com/timb-machine/linux-malware/issues/312)) - Persistence, Impact, Defense Evasion, Privilege Escalation, attack:T1565.002:Transmitted Data Manipulation, attack:T1055:Process Injection, attack:T1055.009:Proc Memory, attack:T1564.001:Hidden Files and Directories, attack:T1574:Hijack Execution Flow, attack:T1567:Financial Theft, https://github.com/timb-machine/linux-malware/issues/135, FastCash, https://github.com/timb-machine/linux-malware/issues/815, https://github.com/timb-machine/linux-malware/issues/407, Hidden Cobra, AIX, Banking -* https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/ ([#319](https://github.com/timb-machine/linux-malware/issues/319)) - Gafgyt -* https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/ ([#327](https://github.com/timb-machine/linux-malware/issues/327)) - TeamTNT, Mimipenguin -* https://hybrid-analysis.com/sample/eb8826bac873442045a6a05f1fa25b410ca18db6942053f6d146467c00d5338d ([#508](https://github.com/timb-machine/linux-malware/issues/508)) - Peer2Profit, Linux -* https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html ([#725](https://github.com/timb-machine/linux-malware/issues/725)) - Defense Evasion, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, BPFDoor, [/malware/binaries/BPFDoor](../../tree/main/malware/binaries/BPFDoor), Unix.Backdoor.RedMenshen, DecisiveArchitect, Linux, Solaris -* https://tolisec.com/ssh-backdoor-botnet-with-research-infection-technique/ ([#92](https://github.com/timb-machine/linux-malware/issues/92)) -* https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html ([#102](https://github.com/timb-machine/linux-malware/issues/102)) - Impact, attack:T1486:Data Encrypted for Impact, LockBit, Linux, VMware, Internal enterprise services, Internal specialist services -* https://imgur.com/a/53f29O9 ([#61](https://github.com/timb-machine/linux-malware/issues/61)) - Mirai (by malwaremustdie.org) -* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux ([#510](https://github.com/timb-machine/linux-malware/issues/510)) - Execution, Persistence, Defense Evasion, attack:T1036.005:Match Legitimate Name or Location, attack:T1059:Command and Scripting Interpreter, attack:T1569:System Service, attack:T1569.002:Service Execution, attack:T1543:Create or Modify System Process, attack:T1027:Obfuscated Files or Information, uses:Non-persistentStorage, attack:T1057:Process Discovery, attack:T1070.004:File Deletion, attack:T1546.004:Unix Shell, exploit:CVE-2021-3493, Shikitega, [/malware/binaries/Shikitega](../../tree/main/malware/binaries/Shikitega), Linux -* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ ([#439](https://github.com/timb-machine/linux-malware/issues/439)) - Initial Access, Credential Access, Impact, attack:T1078:Valid Accounts, attack:T1100:Brute Force, attack:T1498:Network Denial of Service, attack:T1053.003:Cron, attack:T1105:Ingress Tool Transfer, attack:T1027:Obfuscated Files or Information, attack:T1014:Rootkit, attack:T1082:System Information Discovery, attack:T1003.007:Proc Filesystem, attack:T1562.001:Disable or Modify Tools, attack:T1037.004:RC Scripts, attack:T1070.004:File Deletion, attack:T1036.005:Match Legitimate Name or Location, uses:Non-persistentStorage, uses:ioctl, uses:PortHiding, https://github.com/timb-machine/linux-malware/issues/129, uses:ProcessTreeSpoofing, XorDDoS, Rooty, Linux -* https://www.welivesecurity.com/wp-content/uploads/2021/10/eset_fontonlake.pdf ([#641](https://github.com/timb-machine/linux-malware/issues/641)) - FontOnLake, Linux -* https://sansec.io/research/nginrat ([#94](https://github.com/timb-machine/linux-malware/issues/94)) - Defense Evasion, uses:Non-persistentStorage, attack:T1036.005:Match Legitimate Name or Location, attack:T1574.006:Dynamic Linker Hijacking, attack:T1027:Obfuscated Files or Information, uses:ProcessTreeSpoofing, NginRAT, wltm -* https://imgur.com/a/LpTN7 ([#85](https://github.com/timb-machine/linux-malware/issues/85)) - Elknot (by malwaremustdie.org) -* https://unit42.paloaltonetworks.com/watchdog-cryptojacking/ ([#324](https://github.com/timb-machine/linux-malware/issues/324)) - WatchDog -* https://unit42.paloaltonetworks.com/blackcat-ransomware/ ([#108](https://github.com/timb-machine/linux-malware/issues/108)) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512 -* https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/ ([#503](https://github.com/timb-machine/linux-malware/issues/503)) -* https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ ([#714](https://github.com/timb-machine/linux-malware/issues/714)) - Initial Access, Defense Evasion, attack:T1190:Exploit Public-Facing Application, attack:T1480.001:Environmental Keying, Mirai, Linux, IOT -* https://blog.polyswarm.io/deadbolt-ransomware ([#577](https://github.com/timb-machine/linux-malware/issues/577)) - Impact, Deadbolt, Linux, Consumer -* https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys/ ([#680](https://github.com/timb-machine/linux-malware/issues/680)) - Initial Access, Persistence, Androxgh0st, wltm, Linux, Cloud hosted services -* https://imgur.com/a/N3BgY ([#73](https://github.com/timb-machine/linux-malware/issues/73)) - ChinaZ, GoARM (by malwaremustdie.org) -* https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/ ([#114](https://github.com/timb-machine/linux-malware/issues/114)) - HabitsRAT -* https://twitter.com/malwaremustd1e/status/1235595880041873408 ([#358](https://github.com/timb-machine/linux-malware/issues/358)) - Hajimi (by malwaremustdie.org) -* https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/ ([#308](https://github.com/timb-machine/linux-malware/issues/308)) - KillDisk * https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis ([#393](https://github.com/timb-machine/linux-malware/issues/393)) - Conti -* https://sysdig.com/blog/ssh-snake/ ([#801](https://github.com/timb-machine/linux-malware/issues/801)) - Defense Evasion, Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, attack:T1027:Obfuscated Files or Information, https://github.com/timb-machine/linux-malware/issues/791, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services -* https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces ([#115](https://github.com/timb-machine/linux-malware/issues/115)) - Impact, KinSing -* https://imgur.com/a/57uOiTu ([#80](https://github.com/timb-machine/linux-malware/issues/80)) - DDoSMan (by malwaremustdie.org) -* https://old.reddit.com/r/LinuxMalware/comments/a66dsz/ddostf_still_lurking_arm_boxes/ ([#72](https://github.com/timb-machine/linux-malware/issues/72)) - DDoSTF (by malwaremustdie.org) * https://twitter.com/IntezerLabs/status/1326880812344676352 ([#330](https://github.com/timb-machine/linux-malware/issues/330)) - AgeLocker -* https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ ([#655](https://github.com/timb-machine/linux-malware/issues/655)) - Initial Access, Persistence, Privilege Escalation, attack:T1566.001:Spearphishing Attachment, attack:T1546.004:Unix Shell Configuration Modification, uses:RedirectionToNull, uses:Go, wltm, OdicLoader, SimplexTea, Lazarus, Linux -* https://twitter.com/malwaremustd1e/status/1264417940742389762 ([#316](https://github.com/timb-machine/linux-malware/issues/316)) - Gafgyt (by malwaremustdie.org) -* https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ ([#724](https://github.com/timb-machine/linux-malware/issues/724)) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, https://github.com/timb-machine/linux-malware/issues/710, https://github.com/timb-machine/linux-malware/issues/711, https://github.com/timb-machine/linux-malware/issues/814, Linux -* https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ ([#524](https://github.com/timb-machine/linux-malware/issues/524)) - Initial Access, Execution, Persistence, Discovery, Lateral Movement, Command and Control, Exfiltration, uses:Go, attack:T1573:Encrypted Channel, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1021.004:SSH, attack:T1057:Process Discovery, attack:T1552.004:Private Keys, attack:T1190:Exploit Public-Facing Application, Chaos, [/malware/binaries/Chaos](../../tree/main/malware/binaries/Chaos), Linux -* https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github ([#97](https://github.com/timb-machine/linux-malware/issues/97)) - Botenago +* https://twitter.com/malwrhunterteam/status/1559636227485319168 ([#500](https://github.com/timb-machine/linux-malware/issues/500)) - Impact, REvil, wltm, Linux +* https://twitter.com/malwaremustd1e/status/1380637310346096641 ([#364](https://github.com/timb-machine/linux-malware/issues/364)) - Ngioweb (by malwaremustdie.org) +* https://twitter.com/malwrhunterteam/status/1467264298237972484 ([#406](https://github.com/timb-machine/linux-malware/issues/406)) - Cerber +* https://asec.ahnlab.com/en/55229/ ([#722](https://github.com/timb-machine/linux-malware/issues/722)) - Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/709, attack:T1036.005:Match Legitimate Name or Location, attack:T1573.001:Symmetric Encryption, uses:ProcessTreeSpoofing, Rekoobe, TINYSHELL, APT31, Linux, Solaris +* https://sansec.io/research/ecommerce-malware-linux-avp ([#396](https://github.com/timb-machine/linux-malware/issues/396)) - linux_avp, Comma +* https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/ ([#636](https://github.com/timb-machine/linux-malware/issues/636)) - Initial Access, Linux +* https://twitter.com/sethkinghi/status/1397814848549900288 ([#717](https://github.com/timb-machine/linux-malware/issues/717)) - Defense Evasion, attack:T1480.001:Environmental Keying, AVrecon, Linux, IOT +* https://tolisec.com/ssh-backdoor-botnet-with-research-infection-technique/ ([#92](https://github.com/timb-machine/linux-malware/issues/92)) +* https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/ ([#526](https://github.com/timb-machine/linux-malware/issues/526)) - Metador, wltm, Linux * https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ ([#95](https://github.com/timb-machine/linux-malware/issues/95)) - Command and Control, Defense Evasion, Persistence, Discovery, attack:T1102:Web Service, attack:T1071.001:Web Protocols, attack:T1573.001:Symmetric Cryptography, attack:T1573:Encrypted Traffic, attack:T1053.003:Cron, attack:T1033:System Owner/User Discovery, attack:T1016:System Network Configuration Discovery, attack:T1070.004:File Deletion, uses:RedirectionToNull, delivery:NPM, SysJoker, wltm, Linux -* https://blogs.jpcert.or.jp/en/2023/05/gobrat.html ([#682](https://github.com/timb-machine/linux-malware/issues/682)) - Command and Control, uses:Go, GobRAT, Linux, Telecomms -* https://twitter.com/IntezerLabs/status/1288487307369222145 ([#331](https://github.com/timb-machine/linux-malware/issues/331)) - TrickBot -* https://asec.ahnlab.com/en/55785/ ([#733](https://github.com/timb-machine/linux-malware/issues/733)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1547.006:Kernel Modules and Extensions, attack:T1205.001:Port Knocking, Reptile, TINYSHELL, Rekoobe, Linux -* https://twitter.com/captainGeech42/status/1657121312425365524 ([#661](https://github.com/timb-machine/linux-malware/issues/661)) - Persistence, Defense Evasion, SystemBC, https://github.com/timb-machine/linux-malware/issues/662, Linux +* https://imp0rtp3.wordpress.com/2021/11/25/sowat/ ([#400](https://github.com/timb-machine/linux-malware/issues/400)) - Command and Control, https://github.com/timb-machine/linux-malware/issues/140, https://github.com/timb-machine/linux-malware/issues/131, SoWaT, APT31, Zirconium +* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en ([#447](https://github.com/timb-machine/linux-malware/issues/447)) - Persistence, Defense Evasion, Discovery, Command and Control, attack:T1027:Obfuscated Files or Information, attack:T1053.003:Cron, attack:T1082:System Information Discovery, attack:T1132:Data Encoding, attack:T1564.001:Hidden Files and Directories, Buni, APT32, Ocean Lotus +* https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites ([#598](https://github.com/timb-machine/linux-malware/issues/598)) - Initial Access, Command and Control, uses:Go, GoTrim, Linux, Enterprise with public/Customer-facing services +* https://imgur.com/a/DWKK5 ([#84](https://github.com/timb-machine/linux-malware/issues/84)) - Persistence, Command and Control, Tsunami, Kaiten (by malwaremustdie.org), Linux +* https://www.lab539.com/blog/linux-malware-detection-with-limacharlie ([#728](https://github.com/timb-machine/linux-malware/issues/728)) - Reconnaissance, Initial Access, Execution, Persistence, Linux +* https://twitter.com/jhencinski/status/1451592508157345793 ([#387](https://github.com/timb-machine/linux-malware/issues/387)) - Impact, XMRig +* https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html ([#501](https://github.com/timb-machine/linux-malware/issues/501)) - Initial Access, Command and Control, uses:MiMi, uses:ElectronJS, rshell, wltm, Iron Tiger, Emissary Panda, APT27, Bronze Union, LuckyMouse, Linux, Collaboration across enterprise boundaries, Device application sandboxing +* https://www.uptycs.com/blog/another-ransomware-for-linux-likely-in-development ([#505](https://github.com/timb-machine/linux-malware/issues/505)) - Impact, DarkAngels, wltm, Linux +* https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces ([#115](https://github.com/timb-machine/linux-malware/issues/115)) - Impact, KinSing +* https://twitter.com/ESETresearch/status/1410864752948043778 ([#104](https://github.com/timb-machine/linux-malware/issues/104)) - Specter, SideWalk, StageClient +* https://mp-weixin-qq-com.translate.goog/s/v2wiJe-YPG0ng87ffBB9FQ?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en ([#580](https://github.com/timb-machine/linux-malware/issues/580)) - Command and Control, Torii, Linux +* https://threatfabric.com/blogs/vultur-v-for-vnc.html ([#379](https://github.com/timb-machine/linux-malware/issues/379)) - Vultur, Brunhilda, #Android +* https://imgur.com/a/LpTN7 ([#85](https://github.com/timb-machine/linux-malware/issues/85)) - Elknot (by malwaremustdie.org) +* https://sysdig.com/blog/cloud-defense-in-depth/ ([#713](https://github.com/timb-machine/linux-malware/issues/713)) - Initial Access, Lateral Movement, KinSing, Linux +* https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html ([#59](https://github.com/timb-machine/linux-malware/issues/59)) - Mirai (by malwaremustdie.org) +* https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/ ([#110](https://github.com/timb-machine/linux-malware/issues/110)) - b1txor20 +* https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf ([#333](https://github.com/timb-machine/linux-malware/issues/333)) - Cloud Snooper +* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ ([#432](https://github.com/timb-machine/linux-malware/issues/432)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux +* https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors ([#305](https://github.com/timb-machine/linux-malware/issues/305)) - Tycoon * https://cujo.com/iot-malware-journals-prometei-linux/ ([#300](https://github.com/timb-machine/linux-malware/issues/300)) - Promotei -* https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version ([#309](https://github.com/timb-machine/linux-malware/issues/309)) - REvil -* https://twitter.com/_larry0/status/1143532888538984448 ([#51](https://github.com/timb-machine/linux-malware/issues/51)) - Silex -* https://www.cadosecurity.com/legion-an-aws-credential-harvester-and-smtp-hijacker/ ([#679](https://github.com/timb-machine/linux-malware/issues/679)) - Initial Access, Persistence, Impact, Legion, wltm, Linux, Cloud hosted services -* https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ ([#618](https://github.com/timb-machine/linux-malware/issues/618)) - Persistence, Defense Evasion, uses:Go, attack:T1554:Compromise Client Software Binary, attack:T1546.004:Unix Shell Configuration Modification, attack:T1053.003:Cron, attack:T1543.002:Systemd Service, attack:T1037:Boot or Logon Initialization Scripts, Chaos, [/malware/binaries/Chaos](../../tree/main/malware/binaries/Chaos), Linux -* https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies ([#758](https://github.com/timb-machine/linux-malware/issues/758)) - Persistence, Defense Evasion, Impact, attack:T1486:Data Encrypted for Impact, Gwisin, Spirit, Linux, VMware +* https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/ ([#503](https://github.com/timb-machine/linux-malware/issues/503)) +* https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf ([#493](https://github.com/timb-machine/linux-malware/issues/493)) - Persistence, Command and Control, uses:Go, IPStorm, [/malware/binaries/Unix.Trojan.Ipstorm](../../tree/main/malware/binaries/Unix.Trojan.Ipstorm), Linux +* https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/ ([#325](https://github.com/timb-machine/linux-malware/issues/325)) - RedXOR +* https://blog.talosintelligence.com/2018/06/vpnfilter-update.html ([#54](https://github.com/timb-machine/linux-malware/issues/54)) - VPNFilter +* https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/ ([#566](https://github.com/timb-machine/linux-malware/issues/566)) - Impact, XMRig, Sysrv, wltm, Linux +* https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/ ([#369](https://github.com/timb-machine/linux-malware/issues/369)) - Kobalos, #linux, #bsd, #solaris, #aix +* https://www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spam-servers/ ([#68](https://github.com/timb-machine/linux-malware/issues/68)) - Mumblehard +* https://www.intezer.com/blog/malware-analysis/linux-rekoobe-operating-with-new-undetected-malware-samples/ ([#479](https://github.com/timb-machine/linux-malware/issues/479)) - Rekoobe, APT31, Linux +* https://asec.ahnlab.com/en/55785/ ([#733](https://github.com/timb-machine/linux-malware/issues/733)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1547.006:Kernel Modules and Extensions, attack:T1205.001:Port Knocking, Reptile, TINYSHELL, Rekoobe, Linux +* https://blog.polyswarm.io/darkangels-linux-ransomware ([#666](https://github.com/timb-machine/linux-malware/issues/666)) - Impact, attack:T1486:Data Encrypted for Impact, DarkAngels, wltm, Linux +* https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf ([#312](https://github.com/timb-machine/linux-malware/issues/312)) - Persistence, Impact, Defense Evasion, Privilege Escalation, attack:T1565.002:Transmitted Data Manipulation, attack:T1055:Process Injection, attack:T1055.009:Proc Memory, attack:T1564.001:Hidden Files and Directories, attack:T1574:Hijack Execution Flow, attack:T1567:Financial Theft, https://github.com/timb-machine/linux-malware/issues/135, FastCash, https://github.com/timb-machine/linux-malware/issues/815, https://github.com/timb-machine/linux-malware/issues/407, Hidden Cobra, AIX, Banking +* https://gist.github.com/unixfreaxjp/7b8bd6be614f7a051fc9a9da760d3138 ([#362](https://github.com/timb-machine/linux-malware/issues/362)) - Initial Access, Command and Control, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux +* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines ([#527](https://github.com/timb-machine/linux-malware/issues/527)) - Defense Evasion, Discovery, Execution, Persistence, Privilege Escalation, attack:T1036.005:Match Legitimate Name or Location, attack:T1059:Command and Scripting Interpreter, attack:T1569:System Service, attack:T1569.002:Service Execution, attack:T1543:Create or Modify System Process, attack:T1027:Obfuscated Files or Information, uses:Non-persistentStorage, attack:T1057:Process Discovery, attack:T1070.004:File Deletion, attack:T1546.004:Unix Shell, exploit:CVE-2021-3493, exploit:CVE-2021-4034, https://github.com/timb-machine/linux-malware/issues/510, Shikitega, [/malware/binaries/Shikitega](../../tree/main/malware/binaries/Shikitega), XMRig, Linux +* https://www.guardicore.com/labs/fritzfrog-a-new-generation-of-peer-to-peer-botnets/ ([#313](https://github.com/timb-machine/linux-malware/issues/313)) - FritzFrog +* https://ultimacybr.co.uk/2023-10-04-Sysrv/ ([#767](https://github.com/timb-machine/linux-malware/issues/767)) - Persistence, Defense Evasion, Impact, attack:T1496:Resource Hijacking, uses:Go, Sysrv, Linux +* https://www.gosecure.net/blog/2018/02/14/chaos-a-stolen-backdoor-rising/ ([#395](https://github.com/timb-machine/linux-malware/issues/395)) - uses:Go, Chaos (sebd), [/malware/binaries/Chaos](../../tree/main/malware/binaries/Chaos) +* https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ ([#817](https://github.com/timb-machine/linux-malware/issues/817)) - Resource Development, Persistence, Defense Evasion, attack:T1542.003:Bootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1587.00:Malware, attack:T1587.002Code Signing Certificates, attack:T1106:Native API, attack:T1129:Shared Modules, attack:T1574.006:Dynamic Linker, attack:T1542.003, attack:T1014:Rootkit, attack:T1562:Impair Defenses, attack:T1564:Hide Artifacts, Bootkitty, BCDropper, BCObserver, Linux, Consumer, Internal enterprise services, Enterprise with satellite facilities, Enterprise with contracted services and/or non-employee access +* https://igor-blue.github.io/2021/03/24/apt1.html ([#302](https://github.com/timb-machine/linux-malware/issues/302)) +* https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware ([#639](https://github.com/timb-machine/linux-malware/issues/639)) - Command and Control, AP36, Transparent Tribe, Poseidon, Linux +* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux ([#510](https://github.com/timb-machine/linux-malware/issues/510)) - Execution, Persistence, Defense Evasion, attack:T1036.005:Match Legitimate Name or Location, attack:T1059:Command and Scripting Interpreter, attack:T1569:System Service, attack:T1569.002:Service Execution, attack:T1543:Create or Modify System Process, attack:T1027:Obfuscated Files or Information, uses:Non-persistentStorage, attack:T1057:Process Discovery, attack:T1070.004:File Deletion, attack:T1546.004:Unix Shell, exploit:CVE-2021-3493, Shikitega, [/malware/binaries/Shikitega](../../tree/main/malware/binaries/Shikitega), Linux * https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/ ([#381](https://github.com/timb-machine/linux-malware/issues/381)) - FontOnLake +* https://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/ ([#303](https://github.com/timb-machine/linux-malware/issues/303)) - DarkRadiation +* https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/ ([#378](https://github.com/timb-machine/linux-malware/issues/378)) - #cobaltstrike, VermilionStrike +* https://twitter.com/cyb3rops/status/1523227511551033349 ([#425](https://github.com/timb-machine/linux-malware/issues/425)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/418, DecisiveArchitect, Linux +* https://www.sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/ ([#402](https://github.com/timb-machine/linux-malware/issues/402)) - Cloud Shovel +* https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials ([#50](https://github.com/timb-machine/linux-malware/issues/50)) - TeamTNT * http://www.thedarkside.nl/honeypot/microbul.html ([#388](https://github.com/timb-machine/linux-malware/issues/388)) +* https://hybrid-analysis.com/sample/eb8826bac873442045a6a05f1fa25b410ca18db6942053f6d146467c00d5338d ([#508](https://github.com/timb-machine/linux-malware/issues/508)) - Peer2Profit, Linux +* https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/ ([#299](https://github.com/timb-machine/linux-malware/issues/299)) - IPStorm, [/malware/binaries/Unix.Trojan.Ipstorm](../../tree/main/malware/binaries/Unix.Trojan.Ipstorm) +* https://vms.drweb.com/virus/?i=15389228 ([#326](https://github.com/timb-machine/linux-malware/issues/326)) - ? +* https://zhuanlan.zhihu.com/p/348960748 ([#403](https://github.com/timb-machine/linux-malware/issues/403)) - Impact, Command and Control, Lateral Movement, Persistence, Cloud Shovel +* https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/ ([#410](https://github.com/timb-machine/linux-malware/issues/410)) - Initial Access, Persistence, Defense Evasion, Lateral Movement, Impact, LemonDuck, Linux, Cloud hosted services, Device application sandboxing +* https://twitter.com/CraigHRowland/status/1422267857988063232 ([#354](https://github.com/timb-machine/linux-malware/issues/354)) - ITTS +* https://imgur.com/a/CtHlmBE ([#82](https://github.com/timb-machine/linux-malware/issues/82)) - Persistence, Command and Control, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux +* https://imgur.com/a/Ak9zICq ([#367](https://github.com/timb-machine/linux-malware/issues/367)) - Neko (by malwaremustdie.org) +* https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html ([#332](https://github.com/timb-machine/linux-malware/issues/332)) - NOTROBIN +* https://imgur.com/a/qqgfFXf ([#60](https://github.com/timb-machine/linux-malware/issues/60)) - Mirai (by malwaremustdie.org) +* https://securelist.com/a-bad-luck-blackcat/106254/?_sp=3b4159db-9e20-4bfa-a47f-f8671b594d75.1649770307513 ([#118](https://github.com/timb-machine/linux-malware/issues/118)) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512 +* https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html ([#614](https://github.com/timb-machine/linux-malware/issues/614)) - Command and Control, Persistence, SysUpdate, IronTiger +* https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys/ ([#680](https://github.com/timb-machine/linux-malware/issues/680)) - Initial Access, Persistence, Androxgh0st, wltm, Linux, Cloud hosted services +* https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html ([#789](https://github.com/timb-machine/linux-malware/issues/789)) - Defense Evasion, Discovery, Command and Control, attack:T1090:Proxy, uses:ProcessTreeSpoofing, attack:T1027:Obfuscated Files or Information, attack:T1082:System Information Discovery, SprySOCKS, Mandibule, https://github.com/timb-machine/linux-malware/issues/170, Earth Lusca, Linux +* https://twitter.com/malwrhunterteam/status/1415403132230803460 ([#310](https://github.com/timb-machine/linux-malware/issues/310)) - HelloKitty +* https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf ([#625](https://github.com/timb-machine/linux-malware/issues/625)) - Defense Evasion, Command and Control, attack:T1071:Application Layer Protocol, attack:T1071.001:Web Protocols, attack:T1092:Communication Through Removable Media, attack:T1027.002:Software Packing, KEYPLUG, RedGolf, Linux +* https://cert.gov.ua/article/4501891 ([#651](https://github.com/timb-machine/linux-malware/issues/651)) - Impact, attack:T1485:Data Destruction, Sandworm, Linux, Industrial +* https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ ([#750](https://github.com/timb-machine/linux-malware/issues/750)) - Initial Access, Persistence, Defense Evasion, Command and Control, Impact, attack:T1547.006:Kernel Modules and Extensions, SkidMap, Linux +* https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html ([#725](https://github.com/timb-machine/linux-malware/issues/725)) - Defense Evasion, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, BPFDoor, [/malware/binaries/BPFDoor](../../tree/main/malware/binaries/BPFDoor), Unix.Backdoor.RedMenshen, DecisiveArchitect, Linux, Solaris +* https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/ ([#52](https://github.com/timb-machine/linux-malware/issues/52)) - GodLua +* https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github ([#97](https://github.com/timb-machine/linux-malware/issues/97)) - Botenago +* https://cujo.com/the-sysrv-botnet-and-how-it-evolved/ ([#640](https://github.com/timb-machine/linux-malware/issues/640)) - Initial Access, Command and Control, Impact, Sysrv, Linux +* https://www.welivesecurity.com/wp-content/uploads/2021/10/eset_fontonlake.pdf ([#641](https://github.com/timb-machine/linux-malware/issues/641)) - FontOnLake, Linux +* https://twitter.com/malwaremustd1e/status/1264417940742389762 ([#316](https://github.com/timb-machine/linux-malware/issues/316)) - Gafgyt (by malwaremustdie.org) +* https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/ ([#342](https://github.com/timb-machine/linux-malware/issues/342)) - Doki +* https://sansec.io/research/nginrat ([#94](https://github.com/timb-machine/linux-malware/issues/94)) - Defense Evasion, uses:Non-persistentStorage, attack:T1036.005:Match Legitimate Name or Location, attack:T1574.006:Dynamic Linker Hijacking, attack:T1027:Obfuscated Files or Information, uses:ProcessTreeSpoofing, NginRAT, wltm +* https://s.tencent.com/research/report/1177.html ([#384](https://github.com/timb-machine/linux-malware/issues/384)) +* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf ([#427](https://github.com/timb-machine/linux-malware/issues/427)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris +* https://vms.drweb.com/virus/?i=21004786 ([#433](https://github.com/timb-machine/linux-malware/issues/433)) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux +* https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf ([#345](https://github.com/timb-machine/linux-malware/issues/345)) - WellMail (APT29) +* https://cybersec84.wordpress.com/2023/08/15/monti-ransomware-operators-resurface-with-new-linux-variant-improved-evasion-tactics/ ([#753](https://github.com/timb-machine/linux-malware/issues/753)) - Defense Evasion, Impact, attack:T1486:Data Encrypted for Impact, attack:T1480:Execution Guardrails, wltm, Monti, Linux, VMware +* https://pastebin.com/Z3sXqDCA ([#89](https://github.com/timb-machine/linux-malware/issues/89)) - Mozi (by malwaremustdie.org) +* https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/ ([#323](https://github.com/timb-machine/linux-malware/issues/323)) - EvilGnome +* https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/ ([#350](https://github.com/timb-machine/linux-malware/issues/350)) - Stantinkos +* https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/ ([#308](https://github.com/timb-machine/linux-malware/issues/308)) - KillDisk +* https://unit42.paloaltonetworks.com/alloy-taurus/ ([#646](https://github.com/timb-machine/linux-malware/issues/646)) - Command and Control, attack:T1071:Application Layer Protocol, attack:T1071.001:Web Protocols, attack:T1132:Data Encoding, attack:T1132.001:Standard Encoding, attack:T1573:Encrypted Channel, attack:T1573.001:Symmetric Cryptography, Sword2033, PingBull, wltm, Alloy Taurus, GALLIUM, Soft Cell, Linux +* https://www.intezer.com/blog/research/new-linux-threat-symbiote/ ([#452](https://github.com/timb-machine/linux-malware/issues/452)) - Persistence, Defense Evasion, Command and Control, attack:T1205:Traffic Signaling, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1556.003:Pluggable Authentication Modules, attack:T1574.006:Dynamic Linker Hijacking, https://github.com/timb-machine/linux-malware/issues/460, Symbiote, Linux +* https://atdotde.blogspot.com/2020/05/high-performance-hackers.html ([#377](https://github.com/timb-machine/linux-malware/issues/377)) - HPC * https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html ([#63](https://github.com/timb-machine/linux-malware/issues/63)) - https://github.com/timb-machine/linux-malware/issues/134, SLAPSTICK, LightBasin, UNC1945, Solaris -* https://blogs-jpcert-or-jp.translate.goog/ja/2023/07/dangerouspassword_dev.html ([#721](https://github.com/timb-machine/linux-malware/issues/721)) - Defense Evasion, Command and Control, uses:Python, uses:JavaScript, attack:T1140:Deobfuscate/Decode Files or Information, PythonHTTPBackdoor, wltm, DangerousPassword, CryptoMimic, SnatchCrypto, Linux -* https://mp-weixin-qq-com.translate.goog/s/pd6fUs5TLdBtwUHauclDOQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp ([#588](https://github.com/timb-machine/linux-malware/issues/588)) - Persistence, Defense Evasion, Command and Control, attack:T1027:Obfuscated Files or Information, caja, wltm, Linux -* https://www.signalblur.io/through-the-looking-glass ([#756](https://github.com/timb-machine/linux-malware/issues/756)) - Impact, attack:T1486:Data Encrypted for Impact, wltm, RedAlert, Conti, BlackBasta, Sodinokibi, REvil, BlackMatter, DarkSide, Defray777, RansomEXX, HelloKitty, ViceSociety, Royal, BlackSuit, RTM Locker, Hive, GonnaCry, Erebus, eChOraix, QNAPCrypt, Cylance, Polaris, Linux, VMware, Internal enterprise services, Internal specialist services -* https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor ([#547](https://github.com/timb-machine/linux-malware/issues/547)) - Command and Control, Exfiltration, uses:LD_PRELOAD, wltm, Linux -* https://imgur.com/a/lAQ1tMQ ([#78](https://github.com/timb-machine/linux-malware/issues/78)) - HelloBot (by malwaremustdie.org) +* https://analyze.intezer.com/files/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92 ([#482](https://github.com/timb-machine/linux-malware/issues/482)) - Log4J, [/malware/binaries/Unix.Trojan.Log4J/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92.elf.x86](../../blob/main/malware/binaries/Unix.Trojan.Log4J/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92.elf.x86), Linux +* https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf ([#370](https://github.com/timb-machine/linux-malware/issues/370)) - Kobalos, #bsd, #solaris, #aix +* https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/ ([#690](https://github.com/timb-machine/linux-malware/issues/690)) - Command and Control, attack:T1572:Protocol Tunneling, ChamelDoh, wltm, ChamelGang, Linux * https://twitter.com/bkMSFT/status/1417823714922610689 ([#328](https://github.com/timb-machine/linux-malware/issues/328)) - https://github.com/timb-machine/linux-malware/issues/329, Zirconium, APT31 -* https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/ ([#329](https://github.com/timb-machine/linux-malware/issues/329)) - Zirconium, APT31 -* https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/ ([#65](https://github.com/timb-machine/linux-malware/issues/65)) - Qemu, https://github.com/timb-machine/linux-malware/issues/134, LightBasin, UNC1945 -* https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ ([#817](https://github.com/timb-machine/linux-malware/issues/817)) - Resource Development, Persistence, Defense Evasion, attack:T1542.003:Bootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1587.00:Malware, attack:T1587.002Code Signing Certificates, attack:T1106:Native API, attack:T1129:Shared Modules, attack:T1574.006:Dynamic Linker, attack:T1542.003, attack:T1014:Rootkit, attack:T1562:Impair Defenses, attack:T1564:Hide Artifacts, Bootkitty, BCDropper, BCObserver, Linux, Consumer, Internal enterprise services, Enterprise with satellite facilities, Enterprise with contracted services and/or non-employee access -* https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/ ([#636](https://github.com/timb-machine/linux-malware/issues/636)) - Initial Access, Linux -* http://it.rising.com.cn/fanglesuo/19851.html ([#96](https://github.com/timb-machine/linux-malware/issues/96)) - SFile -* https://imp0rtp3.wordpress.com/2021/11/25/sowat/ ([#400](https://github.com/timb-machine/linux-malware/issues/400)) - Command and Control, https://github.com/timb-machine/linux-malware/issues/140, https://github.com/timb-machine/linux-malware/issues/131, SoWaT, APT31, Zirconium -* https://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-service/ ([#343](https://github.com/timb-machine/linux-malware/issues/343)) - NGrok -* https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html ([#366](https://github.com/timb-machine/linux-malware/issues/366)) - AirDropBot (by malwaremustdie.org) -* https://www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spam-servers/ ([#68](https://github.com/timb-machine/linux-malware/issues/68)) - Mumblehard -* https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/ ([#299](https://github.com/timb-machine/linux-malware/issues/299)) - IPStorm, [/malware/binaries/Unix.Trojan.Ipstorm](../../tree/main/malware/binaries/Unix.Trojan.Ipstorm) -* https://old.reddit.com/r/LinuxMalware/comments/f26amt/new_systemten_botnet_miner_threat_now_wother/ ([#357](https://github.com/timb-machine/linux-malware/issues/357)) - SystemTen (by malwaremustdie.org) -* https://honeynet.onofri.org/scans/scan13/som/som5.txt ([#389](https://github.com/timb-machine/linux-malware/issues/389)) - Luckscan, UNC1945 -* https://media.defense.gov/2023/May/09/2003218554/-1/-1/1/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF ([#657](https://github.com/timb-machine/linux-malware/issues/657)) - Command and Control, SNAKE, Linux -* https://imgur.com/a/qI5Fvm4 ([#83](https://github.com/timb-machine/linux-malware/issues/83)) - STD (by malwaremustdie.org) -* https://twitter.com/CraigHRowland/status/1523266585133457408 ([#424](https://github.com/timb-machine/linux-malware/issues/424)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/418, DecisiveArchitect, Linux -* https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html ([#442](https://github.com/timb-machine/linux-malware/issues/442)) - Impact, attack:T1486:Data Encrypted for Impact, Cheerscrypt, https://github.com/timb-machine/linux-malware/issues/544, Linux, VMware, Internal enterprise services, Internal specialist services -* https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware ([#107](https://github.com/timb-machine/linux-malware/issues/107)) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512 * https://www.mandiant.com/resources/blog/messagetap-who-is-reading-your-text-messages ([#542](https://github.com/timb-machine/linux-malware/issues/542)) - Defense Evasion, Discovery, Collection, Exfiltration, vertical:Telecomms, attack:T1040:Network Sniffing, uses:Non-persistentStorage, attack:T1070.004:File Deletion, MESSAGETAP, [/malware/binaries/MESSAGETAP](../../tree/main/malware/binaries/MESSAGETAP), APT41, Linux, Telecomms, Internal specialist services -* https://imgur.com/a/5vPEc ([#74](https://github.com/timb-machine/linux-malware/issues/74)) - ChinaZ (by malwaremustdie.org) -* https://www.mandiant.com/resources/unc3524-eye-spy-email ([#414](https://github.com/timb-machine/linux-malware/issues/414)) - Resource Development, Persistence, Defense Evasion, Lateral Movement, attack:T1021.004:SSH, attack:T1027:Obfuscated Files or Information, attack:T1037.004:RC Scripts, attack:T1584:Compromise Infrastructure, QUIETEXIT, unc3524, Linux, IOT, Internal enterprise services, Device agent/gateway deployment -* https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/ ([#809](https://github.com/timb-machine/linux-malware/issues/809)) - Initial Access, Execution, Persistence, Privilege Escalation, Credential Access, Discovery, Command and Control, AIX, Internal enterprise services -* https://www.intezer.com/blog/research/new-linux-threat-symbiote/ ([#452](https://github.com/timb-machine/linux-malware/issues/452)) - Persistence, Defense Evasion, Command and Control, attack:T1205:Traffic Signaling, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1556.003:Pluggable Authentication Modules, attack:T1574.006:Dynamic Linker Hijacking, https://github.com/timb-machine/linux-malware/issues/460, Symbiote, Linux -* https://twitter.com/malwrhunterteam/status/1422972905541996546 ([#374](https://github.com/timb-machine/linux-malware/issues/374)) - Impact, attack:T1486:Data Encrypted for Impact, Encryptor, Linux, VMware -* https://twitter.com/malwaremustd1e/status/1237080802581565440 ([#359](https://github.com/timb-machine/linux-malware/issues/359)) - Mozi (by malwaremustdie.org) -* https://twitter.com/avastthreatlabs/status/1430527767855058949 ([#492](https://github.com/timb-machine/linux-malware/issues/492)) - HCRootkit, https://github.com/timb-machine/linux-malware/issues/491, Linux +* https://imgur.com/a/lAQ1tMQ ([#78](https://github.com/timb-machine/linux-malware/issues/78)) - HelloBot (by malwaremustdie.org) +* https://twitter.com/CraigHRowland/status/1422009387686645761 ([#353](https://github.com/timb-machine/linux-malware/issues/353)) - ITTS +* https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ ([#724](https://github.com/timb-machine/linux-malware/issues/724)) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, https://github.com/timb-machine/linux-malware/issues/710, https://github.com/timb-machine/linux-malware/issues/711, https://github.com/timb-machine/linux-malware/issues/814, Linux +* https://www.trendmicro.com/en_gb/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html ([#304](https://github.com/timb-machine/linux-malware/issues/304)) - DarkRadation +* https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ ([#716](https://github.com/timb-machine/linux-malware/issues/716)) - Defense Evasion, Credential Access, Discovery, Command and Control, attack:T1110.003:Password Spraying, attack:T1057:Process Discovery, attack:T1082:System Information Discovery, attack:T1480.001:Environmental Keying, attack:T1573:Encrypted Channel, AVrecon, https://github.com/timb-machine/linux-malware/issues/717, Linux, IOT +* https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass ([#692](https://github.com/timb-machine/linux-malware/issues/692)) - Execution, Persistence, Defense Evasion, Credential Access, Command and Control, attack:T1552:Unsecured Credentials, attack:T1212:Exploitation for Credential Access, attack:T1562:Impair Defenses, attack:T1580:Cloud Infrastructure Discovery, attack:T1525:Implant Internal Image, attack:T1102:Web Service, UNC3886, Linux, VMware +* https://www.mandiant.com/resources/unc2891-overview ([#112](https://github.com/timb-machine/linux-malware/issues/112)) - Lateral Movement, Credential Access, Execution, Defense Evasion, Persistence, attack:T1021.004:SSH, attack:T1003.008:/etc/passwd and /etc/shadow, attack:T1552.003:Bash History, attack:T1552.004:Private Keys, attack:T1556.003:Pluggable Authentication Modules, attack:T1053.001:At (Linux), attack:T1059.004:Unix Shell, attack:T1014:Rootkit, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1548.001:Setuid and Setgid, attack:T1543.002:Systemd Service, attack:T1547.006:Kernel Modules and Extensions, https://github.com/timb-machine/linux-malware/issues/134, TINYSHELL, SLAPSTICK, CAKETAP, WIPERIGHT, MIG Logcleaner, https://github.com/timb-machine/linux-malware/issues/154, BINBASH, UNC2891, UNC1945, LightBasin, Linux, Solaris, Banking +* https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ ([#516](https://github.com/timb-machine/linux-malware/issues/516)) - Resource Development, Discovery, Command and Control, attack:T1587.001:Malware, attack:T1016:System Network Configuration Discovery, attack:T1071.001:Web Protocols, attack:T1573.001:Symmetric Cryptography, SideWalk, wltm, SparklingGoblin, Linux +* https://twitter.com/malwaremustd1e/status/1235595880041873408 ([#358](https://github.com/timb-machine/linux-malware/issues/358)) - Hajimi (by malwaremustdie.org) +* https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/ ([#327](https://github.com/timb-machine/linux-malware/issues/327)) - TeamTNT, Mimipenguin +* https://int0x33.medium.com/day-27-tiny-shell-48df6abb0d5d ([#616](https://github.com/timb-machine/linux-malware/issues/616)) - Command and Control, TSH, TINYSHELL, https://github.com/timb-machine/linux-malware/issues/481 +* https://twitter.com/captainGeech42/status/1657121312425365524 ([#661](https://github.com/timb-machine/linux-malware/issues/661)) - Persistence, Defense Evasion, SystemBC, https://github.com/timb-machine/linux-malware/issues/662, Linux +* https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ ([#117](https://github.com/timb-machine/linux-malware/issues/117)) - AcidRain +* https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 ([#604](https://github.com/timb-machine/linux-malware/issues/604)) - Initial Access, attack:T1190:Exploit Public-Facing Application, attack:T1078.001:Default Accounts, KinSing, Linux +* https://imgur.com/a/vS7xV ([#75](https://github.com/timb-machine/linux-malware/issues/75)) - CarpeDiem (by malwaremustdie.org) +* https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/ ([#444](https://github.com/timb-machine/linux-malware/issues/444)) - EnemyBot, Linux +* https://imgur.com/a/SSKmu ([#77](https://github.com/timb-machine/linux-malware/issues/77)) - Rebirth, Vulcan (by malwaremustdie.org) * https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/ ([#298](https://github.com/timb-machine/linux-malware/issues/298)) - RandomEXX -* https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/ ([#369](https://github.com/timb-machine/linux-malware/issues/369)) - Kobalos, #linux, #bsd, #solaris, #aix -* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ ([#434](https://github.com/timb-machine/linux-malware/issues/434)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux -* https://www.lab539.com/blog/linux-malware-detection-with-limacharlie ([#728](https://github.com/timb-machine/linux-malware/issues/728)) - Reconnaissance, Initial Access, Execution, Persistence, Linux -* https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool ([#405](https://github.com/timb-machine/linux-malware/issues/405)) - attack:T1205.002:Socket Filters, ebpfkit * https://twitter.com/ESETresearch/status/1382054011264700416 ([#335](https://github.com/timb-machine/linux-malware/issues/335)) - TSCookie, #freebsd -* https://twitter.com/ESETresearch/status/1410864752948043778 ([#104](https://github.com/timb-machine/linux-malware/issues/104)) - Specter, SideWalk, StageClient -* https://cujo.com/the-sysrv-botnet-and-how-it-evolved/ ([#640](https://github.com/timb-machine/linux-malware/issues/640)) - Initial Access, Command and Control, Impact, Sysrv, Linux +* https://mp.weixin.qq.com/s/BSfKTlMlOnNlsWKjV1NM8w ([#394](https://github.com/timb-machine/linux-malware/issues/394)) - NAMO +* https://twitter.com/malwaremustd1e/status/1267068856645775360 ([#363](https://github.com/timb-machine/linux-malware/issues/363)) - DarkNexus (by malwaremustdie.org) +* https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ ([#655](https://github.com/timb-machine/linux-malware/issues/655)) - Initial Access, Persistence, Privilege Escalation, attack:T1566.001:Spearphishing Attachment, attack:T1546.004:Unix Shell Configuration Modification, uses:RedirectionToNull, uses:Go, wltm, OdicLoader, SimplexTea, Lazarus, Linux +* https://blog.polyswarm.io/lightning-framework ([#506](https://github.com/timb-machine/linux-malware/issues/506)) - Lightning, [/malware/binaries/Lightning](../../tree/main/malware/binaries/Lightning), Linux +* https://www.bitdefender.com/files/News/CaseStudies/study/319/Bitdefender-PR-Whitepaper-DarkNexus-creat4349-en-EN-interactive.pdf ([#518](https://github.com/timb-machine/linux-malware/issues/518)) - DarkNexus, Linux +* https://blog.xlab.qianxin.com/mirai-tbot-en/ ([#788](https://github.com/timb-machine/linux-malware/issues/788)) - Initial Access, Command and Control, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1133:External Remote Services, attack:T1078:Valid Accounts, attack:T1498:Network Denial of Service, attack:T1027:Obfuscated Files or Information, Mirai, TBOT, Linux, IOT +* https://permiso.io/blog/s/legion-mass-spam-attacks-in-aws/ ([#681](https://github.com/timb-machine/linux-malware/issues/681)) - Persistence, Impact, Legion, wltm, Linux, Cloud hosted services +* https://media.defense.gov/2023/May/09/2003218554/-1/-1/1/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF ([#657](https://github.com/timb-machine/linux-malware/issues/657)) - Command and Control, SNAKE, Linux +* https://twitter.com/malwaremustd1e/status/1237080802581565440 ([#359](https://github.com/timb-machine/linux-malware/issues/359)) - Mozi (by malwaremustdie.org) +* https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ ([#322](https://github.com/timb-machine/linux-malware/issues/322)) - Turian +* https://blog.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies ([#496](https://github.com/timb-machine/linux-malware/issues/496)) - Impact, attack:T1486:Data Encrypted for Impact, region:South Korea, vertical:Pharmaceutical, Gwisin, wltm, Linux, VMware, Industrial, Internal specialist services +* https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF ([#67](https://github.com/timb-machine/linux-malware/issues/67)) - Drovorub +* https://imgur.com/a/MuHSZtC ([#81](https://github.com/timb-machine/linux-malware/issues/81)) - Mandibule (by malwaremustdie.org) * https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers ([#720](https://github.com/timb-machine/linux-malware/issues/720)) - Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Impact, attack:T1496:Resource Hijacking, attack:T1608:Stage Capabilities, attack:T1053.003:Cron, attack:T1027.002:Software Packing, attack:T1543.002:Systemd Service, attack:T1037.004:RC Scripts, attack:T1574.006:Dynamic Linker Hijacking, attack:T1036.005:Match Legitimate Name or Location, attack:T1190:Exploit Public-Facing Application, attack:T1110:Brute Force, uses:KillCompetition, XMRig, Rocke, Linux -* https://www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html ([#383](https://github.com/timb-machine/linux-malware/issues/383)) -* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware ([#586](https://github.com/timb-machine/linux-malware/issues/586)) - Reconnaissance, Initial Access, Defense Evasion, Lateral Movement, Command and Control, Exfiltration, Impact, uses:Go, attack:T1133:External Remote Services, attack:T1021:Remote Services, attack:T1021.004:SSH, attack:T1078.001:Default Accounts, attack:T1110:Brute Force, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1499:Endpoint Denial of Service, attack:T1498:Network Denial of Service, attack:T1496:Resource Hijacking, uses:CrossCompiled, Kmsdbot, Linux, IOT +* https://twitter.com/billyleonard/status/1458531997576572929 ([#480](https://github.com/timb-machine/linux-malware/issues/480)) - Rekoobe, TSH, TINYSHELL, https://github.com/timb-machine/linux-malware/issues/481, APT31, Linux +* https://old.reddit.com/r/LinuxMalware/comments/a66dsz/ddostf_still_lurking_arm_boxes/ ([#72](https://github.com/timb-machine/linux-malware/issues/72)) - DDoSTF (by malwaremustdie.org) +* https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/ ([#459](https://github.com/timb-machine/linux-malware/issues/459)) - Persistence, Defense Evasion, Linux +* https://www.trendmicro.com/en_gb/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html ([#111](https://github.com/timb-machine/linux-malware/issues/111)) - Persistence, Privilege Escalation, Impact, attack:T1547.006:Kernel Modules and Extensions, SkidMap +* https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/ ([#315](https://github.com/timb-machine/linux-malware/issues/315)) - Gafgyt +* https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks ([#8](https://github.com/timb-machine/linux-malware/issues/8)) - Credential Access, Defense Evasion, Discovery, Lateral Movement, Collection, Command and Control, Impact, vertical:Telecomms, attack:T1573.001:Symmetric Cryptography, attack:T1590:Gather Victim Network Information, attack:T1562.004:Disable or Modify System Firewall, attack:T1048.001:Exfiltration Over Unencrypted Non-C2 Protocol, attack:T1021.004:SSH, attack:T1037.004:RC Scripts, attack:T1090.001:Internal Proxy, attack:T1090.002:External Proxy, attack:T1110.003:Password Spraying, https://github.com/timb-machine/linux-malware/issues/134, SLAPSTICK, STEELCORGI, PingPong, TINYSHELL, CordScan, SIGTRANslator, Fast Reverse Proxy, Microsocks Proxy, ProxyChains, LightBasin, UNC1945, Solaris, Linux, Telecomms, Internal specialist services, Enclave deployment +* https://twitter.com/Unit42_Intel/status/1653760405792014336 ([#695](https://github.com/timb-machine/linux-malware/issues/695)) - Impact, attack:T1486:Data Encrypted for Impact, wltm, BlackSuite, Linux +* https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html ([#442](https://github.com/timb-machine/linux-malware/issues/442)) - Impact, attack:T1486:Data Encrypted for Impact, Cheerscrypt, https://github.com/timb-machine/linux-malware/issues/544, Linux, VMware, Internal enterprise services, Internal specialist services +* https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/ ([#671](https://github.com/timb-machine/linux-malware/issues/671)) - Persistence, Defense Evasion, Command and Control, Horse Shell, wltm, Camaro Dragon, Linux, IOT, Telecomms +* https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool ([#405](https://github.com/timb-machine/linux-malware/issues/405)) - attack:T1205.002:Socket Filters, ebpfkit +* https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc ([#786](https://github.com/timb-machine/linux-malware/issues/786)) - Exfiltration, Impact, location:Israel, attack:T1561.001:Disk Content Wipe, attack:T1485:Data Destruction, attack:T1048.003:Exfiltration Over Unencrypted Non-C2 Protocol, Cyber Toufan, Linux +* https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html ([#336](https://github.com/timb-machine/linux-malware/issues/336)) - PLEAD +* https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group ([#790](https://github.com/timb-machine/linux-malware/issues/790)) - Initial Access, Execution, Discovery, Lateral Movement, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1059.004:Unix Shell, attack:T1072:Software Deployment Tools, attack:T1083:File and Directory Discovery, attack:T1082:System Information Discovery, attack:T1485:Data Destruction, BiBi-Linux, Linux +* https://blog.talosintelligence.com/2018/05/VPNFilter.html ([#53](https://github.com/timb-machine/linux-malware/issues/53)) - VPNFilter * https://themittenmac.com/tinyshell-under-the-microscope/ ([#617](https://github.com/timb-machine/linux-malware/issues/617)) - TSH, TINYSHELL, https://github.com/timb-machine/linux-malware/issues/481 -* https://www.uptycs.com/blog/another-ransomware-for-linux-likely-in-development ([#505](https://github.com/timb-machine/linux-malware/issues/505)) - Impact, DarkAngels, wltm, Linux -* https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet ([#623](https://github.com/timb-machine/linux-malware/issues/623)) - Initial Access, Defense Evasion, Command and Control, Impact, attack:T1105:Ingress Tool Transfer, attack:T1071.001:Web Protocols, attack:T1071.002:File Transfer Protocol, attack:T1499:Endpoint Denial of Service, attack:T1480:Execution Guardrails, HinataBot, Linux, Consumer -* https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf ([#338](https://github.com/timb-machine/linux-malware/issues/338)) - Persistence, Defense Evasion, Command and Control, Penguin, Penquin_x64, Turla, Linux -* https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/ ([#342](https://github.com/timb-machine/linux-malware/issues/342)) - Doki -* https://imgur.com/a/8mFGk ([#70](https://github.com/timb-machine/linux-malware/issues/70)) - httpsd (by malwaremustdie.org) -* https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html ([#321](https://github.com/timb-machine/linux-malware/issues/321)) - Execution, Persistence, Privilege Escalation, Command and Control, Exfiltration, Impact, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1573:Encrypted Channel, attack:T1071.001:Web Protocols, attack:T1053.003:Cron, attack:T1486:Data Encrypted for Impact, DarkSide, UNC2628, UNC2659, UNC2465, Linux -* https://ultimacybr.co.uk/2023-10-04-Sysrv/ ([#767](https://github.com/timb-machine/linux-malware/issues/767)) - Persistence, Defense Evasion, Impact, attack:T1496:Resource Hijacking, uses:Go, Sysrv, Linux -* https://vms.drweb.com/virus/?i=15389228 ([#326](https://github.com/timb-machine/linux-malware/issues/326)) - ? +* https://www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html ([#383](https://github.com/timb-machine/linux-malware/issues/383)) +* https://twitter.com/avastthreatlabs/status/1430527767855058949 ([#492](https://github.com/timb-machine/linux-malware/issues/492)) - HCRootkit, https://github.com/timb-machine/linux-malware/issues/491, Linux +* https://twitter.com/IntezerLabs/status/1288487307369222145 ([#331](https://github.com/timb-machine/linux-malware/issues/331)) - TrickBot +* https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html ([#563](https://github.com/timb-machine/linux-malware/issues/563)) - Command and Control, uses:Go, Alchemist, [/malware/binaries/Alchimist](../../tree/main/malware/binaries/Alchimist), https://github.com/timb-machine/linux-malware/issues/564, Sysrv?, Linux +* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ ([#434](https://github.com/timb-machine/linux-malware/issues/434)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux +* https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ ([#678](https://github.com/timb-machine/linux-malware/issues/678)) - Reconnaissance, Initial Access, Persistence, Privilege Escalation, Defense Evasion, attack:T1594:Search Victim-Owned Websites, attack:T1589:Gather Victim Identity Information, attack:T1589.001:Credentials, attack:T1133:External Remote Services, attack:T1078:Valid Accounts, Legion, wltm, Linux, Cloud hosted services +* https://imgur.com/a/qI5Fvm4 ([#83](https://github.com/timb-machine/linux-malware/issues/83)) - STD (by malwaremustdie.org) +* https://honeynet.onofri.org/scans/scan13/som/som13.txt ([#385](https://github.com/timb-machine/linux-malware/issues/385)) - Luckscan, UNC1945 * https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/ ([#474](https://github.com/timb-machine/linux-malware/issues/474)) - Linux, FreeBSD -* https://imgur.com/a/4YxuSfV ([#79](https://github.com/timb-machine/linux-malware/issues/79)) - Cayosin (by malwaremustdie.org) -* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en ([#447](https://github.com/timb-machine/linux-malware/issues/447)) - Persistence, Defense Evasion, Discovery, Command and Control, attack:T1027:Obfuscated Files or Information, attack:T1053.003:Cron, attack:T1082:System Information Discovery, attack:T1132:Data Encoding, attack:T1564.001:Hidden Files and Directories, Buni, APT32, Ocean Lotus -* https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ ([#470](https://github.com/timb-machine/linux-malware/issues/470)) - Lightning, [/malware/binaries/Lightning](../../tree/main/malware/binaries/Lightning), Linux -* https://analyze.intezer.com/files/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92 ([#482](https://github.com/timb-machine/linux-malware/issues/482)) - Log4J, [/malware/binaries/Unix.Trojan.Log4J/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92.elf.x86](../../blob/main/malware/binaries/Unix.Trojan.Log4J/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92.elf.x86), Linux -* https://asec.ahnlab.com/en/54647/ ([#707](https://github.com/timb-machine/linux-malware/issues/707)) - Defense Evasion, Credential Access, Command and Control, Impact, attack:T1110:Brute Force, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1496:Resource Hijacking, attack:T1498:Network Denial of Service, uses:IRC, XMRig, ShellBot, MIG Logcleaner, https://github.com/timb-machine/linux-malware/issues/154, Tsunami, Kaiten, 0x333shadow Log Cleaner, https://github.com/timb-machine/linux-malware/issues/706, ChinaZ, Linux -* https://twitter.com/jhencinski/status/1451592508157345793 ([#387](https://github.com/timb-machine/linux-malware/issues/387)) - Impact, XMRig -* https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html ([#332](https://github.com/timb-machine/linux-malware/issues/332)) - NOTROBIN -* https://mp.weixin.qq.com/s/BSfKTlMlOnNlsWKjV1NM8w ([#394](https://github.com/timb-machine/linux-malware/issues/394)) - NAMO -* https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html ([#546](https://github.com/timb-machine/linux-malware/issues/546)) - Impact, attack:T1486:Data Encrypted for Impact, wltm, Linux -* https://twitter.com/xnand_/status/1676336329985077249 ([#710](https://github.com/timb-machine/linux-malware/issues/710)) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, https://github.com/timb-machine/linux-malware/issues/711, https://github.com/timb-machine/linux-malware/issues/724, https://github.com/timb-machine/linux-malware/issues/814, Linux -* https://twitter.com/Unit42_Intel/status/1653760405792014336 ([#695](https://github.com/timb-machine/linux-malware/issues/695)) - Impact, attack:T1486:Data Encrypted for Impact, wltm, BlackSuite, Linux +* https://www.trendmicro.com/en_gb/research/19/f/cryptocurrency-mining-botnet-arrives-through-adb-and-spreads-through-ssh.html ([#55](https://github.com/timb-machine/linux-malware/issues/55)) - CoinMiner +* https://honeynet.onofri.org/scans/scan13/som/som5.txt ([#389](https://github.com/timb-machine/linux-malware/issues/389)) - Luckscan, UNC1945 +* https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html ([#366](https://github.com/timb-machine/linux-malware/issues/366)) - AirDropBot (by malwaremustdie.org) +* https://twitter.com/malwrhunterteam/status/1422972905541996546 ([#374](https://github.com/timb-machine/linux-malware/issues/374)) - Impact, attack:T1486:Data Encrypted for Impact, Encryptor, Linux, VMware +* https://imgur.com/a/5vPEc ([#74](https://github.com/timb-machine/linux-malware/issues/74)) - ChinaZ (by malwaremustdie.org) +* https://blogs.jpcert.or.jp/en/2023/05/gobrat.html ([#682](https://github.com/timb-machine/linux-malware/issues/682)) - Command and Control, uses:Go, GobRAT, Linux, Telecomms +* https://twitter.com/IntezerLabs/status/1300403461809491969 ([#347](https://github.com/timb-machine/linux-malware/issues/347)) - Dalcs +* https://twitter.com/timb_machine/status/1450595881732947968 ([#66](https://github.com/timb-machine/linux-malware/issues/66)) - https://github.com/timb-machine/linux-malware/issues/134, LightBasin, UNC1945, Solaris +* https://twitter.com/ESETresearch/status/1415542456360263682 ([#368](https://github.com/timb-machine/linux-malware/issues/368)) - ?, #FreeBSD +* https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ ([#714](https://github.com/timb-machine/linux-malware/issues/714)) - Initial Access, Defense Evasion, attack:T1190:Exploit Public-Facing Application, attack:T1480.001:Environmental Keying, Mirai, Linux, IOT +* https://asec.ahnlab.com/en/45182/ ([#603](https://github.com/timb-machine/linux-malware/issues/603)) - Defense Evasion, attack:T1027.009:Embedded Payloads, uses:SHC, Linux +* https://blogs-jpcert-or-jp.translate.goog/ja/2023/07/dangerouspassword_dev.html ([#721](https://github.com/timb-machine/linux-malware/issues/721)) - Defense Evasion, Command and Control, uses:Python, uses:JavaScript, attack:T1140:Deobfuscate/Decode Files or Information, PythonHTTPBackdoor, wltm, DangerousPassword, CryptoMimic, SnatchCrypto, Linux +* https://analyze.intezer.com/files/9b48822bd6065a2ad2c6972003920f713fe2cb750ec13a886efee7b570c111a5 ([#106](https://github.com/timb-machine/linux-malware/issues/106)) - Specter, SideWalk, StageClient, wltm * https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/ ([#759](https://github.com/timb-machine/linux-malware/issues/759)) - Impact, Octo Tempest, BlackCat, Linux, VMware -* https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors ([#305](https://github.com/timb-machine/linux-malware/issues/305)) - Tycoon -* https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw ([#660](https://github.com/timb-machine/linux-malware/issues/660)) - Initial Access, attack:T1480:Execution Guardrails, attack:T1562.006:Indicator Blocking, uses:Non-persistentStorage, BOLDMOVE, wltm, Linux, Collaboration across enterprise boundaries -* https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html ([#334](https://github.com/timb-machine/linux-malware/issues/334)) - TSCookie -* https://pastebin.com/Z3sXqDCA ([#89](https://github.com/timb-machine/linux-malware/issues/89)) - Mozi (by malwaremustdie.org) -* https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/ ([#566](https://github.com/timb-machine/linux-malware/issues/566)) - Impact, XMRig, Sysrv, wltm, Linux -* https://www.trendmicro.com/en_gb/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html ([#304](https://github.com/timb-machine/linux-malware/issues/304)) - DarkRadation -* https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/ ([#323](https://github.com/timb-machine/linux-malware/issues/323)) - EvilGnome -* https://blog.polyswarm.io/lightning-framework ([#506](https://github.com/timb-machine/linux-malware/issues/506)) - Lightning, [/malware/binaries/Lightning](../../tree/main/malware/binaries/Lightning), Linux -* https://sysdig.com/blog/cloud-defense-in-depth/ ([#713](https://github.com/timb-machine/linux-malware/issues/713)) - Initial Access, Lateral Movement, KinSing, Linux -* https://twitter.com/cyb3rops/status/1523227511551033349 ([#425](https://github.com/timb-machine/linux-malware/issues/425)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/418, DecisiveArchitect, Linux -* https://www.cisa.gov/news-events/analysis-reports/ar23-209a ([#731](https://github.com/timb-machine/linux-malware/issues/731)) - Persistence, https://github.com/timb-machine/linux-malware/issues/729, SUBMARINE, wltm, Linux -* https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ ([#373](https://github.com/timb-machine/linux-malware/issues/373)) - Initial Access, Persistence, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1505.003:Web Shell, Prophet Spider, Linux -* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf ([#427](https://github.com/timb-machine/linux-malware/issues/427)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris -* https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites ([#598](https://github.com/timb-machine/linux-malware/issues/598)) - Initial Access, Command and Control, uses:Go, GoTrim, Linux, Enterprise with public/Customer-facing services -* https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux ([#685](https://github.com/timb-machine/linux-malware/issues/685)) - Impact, RTM Locker, Linux -* https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/ ([#690](https://github.com/timb-machine/linux-malware/issues/690)) - Command and Control, attack:T1572:Protocol Tunneling, ChamelDoh, wltm, ChamelGang, Linux -* https://www.cisa.gov/news-events/analysis-reports/ar23-209b ([#730](https://github.com/timb-machine/linux-malware/issues/730)) - Command and Control, https://github.com/timb-machine/linux-malware/issues/729, SEASPY, wltm, Linux -* https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf ([#493](https://github.com/timb-machine/linux-malware/issues/493)) - Persistence, Command and Control, uses:Go, IPStorm, [/malware/binaries/Unix.Trojan.Ipstorm](../../tree/main/malware/binaries/Unix.Trojan.Ipstorm), Linux +* https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ ([#371](https://github.com/timb-machine/linux-malware/issues/371)) - Ebury +* https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html ([#57](https://github.com/timb-machine/linux-malware/issues/57)) - Mirai (by malwaremustdie.org) +* https://twitter.com/tolisec/status/1507854421618839564 ([#116](https://github.com/timb-machine/linux-malware/issues/116)) - Impact, KinSing +* https://www.akamai.com/blog/security/new-p2p-botnet-panchan ([#476](https://github.com/timb-machine/linux-malware/issues/476)) - Pan-chan, https://github.com/timb-machine/linux-malware/issues/477, Linux +* https://unit42.paloaltonetworks.com/watchdog-cryptojacking/ ([#324](https://github.com/timb-machine/linux-malware/issues/324)) - WatchDog +* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ ([#770](https://github.com/timb-machine/linux-malware/issues/770)) - Initial Access, Persistence, Defense Evasion, Impact, uses:ProcessTreeSpoofing, uses:TamperedPS, uses:Python, attack:T1140:Deobfuscate/Decode Files or Information, attack:T1496:Resource Hijacking, attack:T1547.006:Kernel Modules and Extensions, attack:T1574.006:Dynamic Linker Hijacking, XHide, XMRig, Diamorphine, libprocesshider, Kiss-a-Dog, Linux, Cloud hosted services +* https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ ([#98](https://github.com/timb-machine/linux-malware/issues/98)) - Persistence, Defense Evasion, Command and Control, RotaJakiro, wltm +* https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 ([#612](https://github.com/timb-machine/linux-malware/issues/612)) - Defense Evasion, Persistence, attack:T1547.006:Kernel Modules and Extensions +* https://pastebin.com/raw/mEape37E ([#355](https://github.com/timb-machine/linux-malware/issues/355)) - SystemTen (by malwaremustdie.org) +* https://old.reddit.com/r/LinuxMalware/comments/gdte0m/linuxkaiji/ ([#340](https://github.com/timb-machine/linux-malware/issues/340)) - Kaiji (by malwaremustdie.org) * https://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/ ([#513](https://github.com/timb-machine/linux-malware/issues/513)) - Collection, Impact, Linux +* https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw ([#660](https://github.com/timb-machine/linux-malware/issues/660)) - Initial Access, attack:T1480:Execution Guardrails, attack:T1562.006:Indicator Blocking, uses:Non-persistentStorage, BOLDMOVE, wltm, Linux, Collaboration across enterprise boundaries +* https://conference.hitb.org/hitbsecconf2017ams/materials/D2T4%20-%20Emmanuel%20Gadaix%20-%20A%20Surprise%20Encounter%20With%20a%20Telco%20APT.pdf ([#551](https://github.com/timb-machine/linux-malware/issues/551)) - Defense Evasion, Collection, Command and Control, Impact, vertical:Telecomms, uses:Perl, Plexing Eagle, Solaris, Telecomms, Internal specialist services +* https://cujo.com/threat-alert-krane-malware/ ([#391](https://github.com/timb-machine/linux-malware/issues/391)) - Initial Access, Persistence, Defense Evasion, Impact, attack:T1110.003:Password Spraying, attack:T098:Account Manipulation, attack:T1105:Ingress Tool Transfer, attack:T1562.003:Impair Command History Logging, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1082:System Information Discovery, attack:T1018:Remote System Discovery, attack:T1021:Remote Services, uses:Non-persistentStorage, Krane, wltm +* http://www.foo.be/cours/dess-20042005/report/bigwar.html#sc ([#386](https://github.com/timb-machine/linux-malware/issues/386)) - sc (similar code to luckscan) +* https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html ([#490](https://github.com/timb-machine/linux-malware/issues/490)) - uses:Go, Manjusaka, Linux +* https://csirt.egi.eu/attacks-on-multiple-hpc-sites/ ([#376](https://github.com/timb-machine/linux-malware/issues/376)) - HPC +* https://blog.sekoia.io/walking-on-apt31-infrastructure-footprints/ ([#478](https://github.com/timb-machine/linux-malware/issues/478)) - https://github.com/timb-machine/linux-malware/issues/480, Rekoobe, TSH, https://github.com/timb-machine/linux-malware/issues/481, APT31, Linux +* https://vblocalhost.com/conference/presentations/shades-of-red-redxor-linux-backdoor-and-its-chinese-origins/ ([#408](https://github.com/timb-machine/linux-malware/issues/408)) - Linux +* https://www.varonis.com/blog/alphv-blackcat-ransomware ([#109](https://github.com/timb-machine/linux-malware/issues/109)) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512 +* https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/kessel-dns-exfiltration-2/ ([#372](https://github.com/timb-machine/linux-malware/issues/372)) - Kessel +* https://www.cadosecurity.com/legion-an-aws-credential-harvester-and-smtp-hijacker/ ([#679](https://github.com/timb-machine/linux-malware/issues/679)) - Initial Access, Persistence, Impact, Legion, wltm, Linux, Cloud hosted services +* https://vulncheck.com/blog/fake-repos-deliver-malicious-implant ([#686](https://github.com/timb-machine/linux-malware/issues/686)) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, Linux * https://www.kroll.com/en/insights/publications/cyber/inside-the-systembc-malware-server ([#784](https://github.com/timb-machine/linux-malware/issues/784)) - Command and Control, Exfiltration, uses:PHP, attack:T1090:Proxy, attack:T1071.001:Web Protocols, SystemBC, Linux -* https://imgur.com/a/SSKmu ([#77](https://github.com/timb-machine/linux-malware/issues/77)) - Rebirth, Vulcan (by malwaremustdie.org) -* https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar ([#375](https://github.com/timb-machine/linux-malware/issues/375)) - PRISM -* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ ([#441](https://github.com/timb-machine/linux-malware/issues/441)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris -* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ ([#432](https://github.com/timb-machine/linux-malware/issues/432)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux -* https://id-ransomware.blogspot.com/2021/11/polaris-ransomware.html ([#398](https://github.com/timb-machine/linux-malware/issues/398)) - Polaris -* https://asec.ahnlab.com/en/45182/ ([#603](https://github.com/timb-machine/linux-malware/issues/603)) - Defense Evasion, attack:T1027.009:Embedded Payloads, uses:SHC, Linux +* https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/ ([#105](https://github.com/timb-machine/linux-malware/issues/105)) - Specter, SideWalk, StageClient +* https://www.signalblur.io/through-the-looking-glass ([#756](https://github.com/timb-machine/linux-malware/issues/756)) - Impact, attack:T1486:Data Encrypted for Impact, wltm, RedAlert, Conti, BlackBasta, Sodinokibi, REvil, BlackMatter, DarkSide, Defray777, RansomEXX, HelloKitty, ViceSociety, Royal, BlackSuit, RTM Locker, Hive, GonnaCry, Erebus, eChOraix, QNAPCrypt, Cylance, Polaris, Linux, VMware, Internal enterprise services, Internal specialist services +* https://imgur.com/a/N3BgY ([#73](https://github.com/timb-machine/linux-malware/issues/73)) - ChinaZ, GoARM (by malwaremustdie.org) +* https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux ([#685](https://github.com/timb-machine/linux-malware/issues/685)) - Impact, RTM Locker, Linux +* https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html ([#546](https://github.com/timb-machine/linux-malware/issues/546)) - Impact, attack:T1486:Data Encrypted for Impact, wltm, Linux +* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware ([#814](https://github.com/timb-machine/linux-malware/issues/814)) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:Non-persistentStorage, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, attack:T1037.004:RC Scripts, attack:T1098.004: SSH Authorized Keys, exploit:CVE-2023-35829, https://github.com/timb-machine/linux-malware/issues/710, https://github.com/timb-machine/linux-malware/issues/711, https://github.com/timb-machine/linux-malware/issues/724, Linux * https://blog.talosintelligence.com/lazarus-collectionrat/ ([#752](https://github.com/timb-machine/linux-malware/issues/752)) - Command and Control, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, DeimosC2, https://github.com/timb-machine/linux-malware/issues/751, HiddenCobra, Lazarus, APT38, Linux -* https://www.guardicore.com/labs/fritzfrog-a-new-generation-of-peer-to-peer-botnets/ ([#313](https://github.com/timb-machine/linux-malware/issues/313)) - FritzFrog -* https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ ([#119](https://github.com/timb-machine/linux-malware/issues/119)) - Impact, attack:T1485:Data Destruction, attack:T1053.003:Cron, attack:T1016:System Network Configuration Discovery, attack:T1110.003:Password Spraying, attack:T1490:Inhibit System Recovery, attack:T1027:Obfuscated Files or Information, attack:T1561.001:Disk Content Wipe, attack:T1529:System Shutdown/Reboot, attack:T1007:System Service Discovery, attack:T1021.004:SSH, Industroyer, ORCSHRED, SOLOSHRED, AWFULSHRED, Sandworm, Linux, Solaris, Industrial -* https://gist.github.com/unixfreaxjp/7b8bd6be614f7a051fc9a9da760d3138 ([#362](https://github.com/timb-machine/linux-malware/issues/362)) - Initial Access, Command and Control, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux -* https://atdotde.blogspot.com/2020/05/high-performance-hackers.html ([#377](https://github.com/timb-machine/linux-malware/issues/377)) - HPC -* https://vblocalhost.com/conference/presentations/shades-of-red-redxor-linux-backdoor-and-its-chinese-origins/ ([#408](https://github.com/timb-machine/linux-malware/issues/408)) - Linux -* https://honeynet.onofri.org/scans/scan13/som/som13.txt ([#385](https://github.com/timb-machine/linux-malware/issues/385)) - Luckscan, UNC1945 -* https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc ([#786](https://github.com/timb-machine/linux-malware/issues/786)) - Exfiltration, Impact, location:Israel, attack:T1561.001:Disk Content Wipe, attack:T1485:Data Destruction, attack:T1048.003:Exfiltration Over Unencrypted Non-C2 Protocol, Cyber Toufan, Linux +* https://unit42.paloaltonetworks.com/blackcat-ransomware/ ([#108](https://github.com/timb-machine/linux-malware/issues/108)) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512 +* https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html ([#58](https://github.com/timb-machine/linux-malware/issues/58)) - Mirai (by malwaremustdie.org) +* https://news.drweb.com/show/?i=14646&lng=en&c=23 ([#602](https://github.com/timb-machine/linux-malware/issues/602)) - Initial Access, Command and Control, WordPressExploit, Linux +* https://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-service/ ([#343](https://github.com/timb-machine/linux-malware/issues/343)) - NGrok * https://www.akamai.com/blog/security-research/dhpcd-cryptominer-hid-four-years ([#578](https://github.com/timb-machine/linux-malware/issues/578)) - Impact, dhcpcd, Linux, IOT -* https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability ([#572](https://github.com/timb-machine/linux-malware/issues/572)) - Persistence, Impact, Mirai, RAR1Ransom, GuardMiner, Linux -* https://www.trendmicro.com/en_gb/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html ([#111](https://github.com/timb-machine/linux-malware/issues/111)) - Persistence, Privilege Escalation, Impact, attack:T1547.006:Kernel Modules and Extensions, SkidMap -* https://twitter.com/IntezerLabs/status/1272915284148531200 ([#341](https://github.com/timb-machine/linux-malware/issues/341)) - Lazarus -* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ ([#778](https://github.com/timb-machine/linux-malware/issues/778)) - Reconnaissance, Initial Access, Persistence, Privilege Escalation, Defense Evasion, Impact, attack:T1496:Resource Hijacking, uses:k8s, attack:T1140:Deobfuscate/Decode Files or Information, uses:Python, attack:T1611:Escape to Host, attack:T1562.008:Disable or Modify Cloud Logs, attack:T1027.004:Compile After Delivery, attack:T1547.006:Kernel Modules and Extensions, attack:T1574.006:Dynamic Linker Hijacking, uses:ProcessTreeSpoofing, attack:T1190:Exploit Public-Facing Application, attack:T1595.002:Vulnerability Scanning, uses:ModifyServerShell, delivery:Redis, uses:Redis, XMRig, Diamorphine, libprocesshider, Pnscan, Zgrab, Masscan, Kiss-A-Dog, TeamTNT, Linux, Cloud hosted services -* https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html ([#336](https://github.com/timb-machine/linux-malware/issues/336)) - PLEAD -* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ ([#64](https://github.com/timb-machine/linux-malware/issues/64)) - Defense Evasion, Discovery, Lateral Movement, Collection, Command and Control, Impact, attack:T1602.001:SNMP (MIB Dump), attack:T1070.002:Clear Linux or Mac System Logs, attack:T1046:Network Service Discovery, attack:T1018:Remote System Discovery, attack:T1110.002:Password Cracking, attack:T1110.003:Password Spraying, attack:T1555:Credentials from Password Stores, attack:T1040:Packet Capture, attack:T1071.001:Web Protocols, attack:T1071.002:File Transfer Protocols, attack:T1071.004:DNS, attack:T1021.002:SMB/Windows Admin Shares, attack:T1021.004:SSH, attack:T1021.005:VNC, attack:T1590:Gather Victim Network Information, attack:T1590.002:DNS, attack:T1027.002:Software Packing, attack:T1001:Data Obfuscation, attack:T1070.004:File Deletion, https://github.com/timb-machine/linux-malware/issues/134, STEELCORGI, netcat, unixcat, netcat-ssl, telnet, traceroute, traceroute-tcp, traceroute-tcpfin, traceroute-udp, traceroute-icmp, traceroute-all, tftpd, HEAD, GET, sniff, nfsshell, ssh, ricochet, axfr, whois, scanip, sctpscan, sdporn, rmiexec, arpmap, whois, who, ahost, resolv, adig, axfr, asrv, aspf, periscope, scanip.sh, aliveips.sh, brutus.pl, enum4linux.pl, mikro, ss, sshu, onesixtyone, snmpgrab, snmpcheck, ciscopush, mikrotik-client, bleach, clean, ssleak, decrypt-vpn, pogo, pogo2, sid-force, sshock, decrypt-cisco, decrypt-vnc, decrypt-cvs, LightBasin, UNC1945, Linux -* https://twitter.com/malwrhunterteam/status/1467264298237972484 ([#406](https://github.com/timb-machine/linux-malware/issues/406)) - Cerber -* https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/ ([#315](https://github.com/timb-machine/linux-malware/issues/315)) - Gafgyt -* https://blog.malwarebytes.com/cybercrime/2022/03/a-new-rootkit-comes-to-an-atm-near-you/ ([#120](https://github.com/timb-machine/linux-malware/issues/120)) - CAKETAP, UNC2891, Solaris -* https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 ([#604](https://github.com/timb-machine/linux-malware/issues/604)) - Initial Access, attack:T1190:Exploit Public-Facing Application, attack:T1078.001:Default Accounts, KinSing, Linux -* https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan ([#732](https://github.com/timb-machine/linux-malware/issues/732)) - Persistence, Defense Evasion, Command and Control, Linux, Hosting -* https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group ([#544](https://github.com/timb-machine/linux-malware/issues/544)) - Initial Access, Discovery, Lateral Movement, Collection, Impact, attack:T1486:Data Encrypted for Impact, Cheerscrypt, Night Sky, Emperor Dragonfly, Bronze Starlight, Linux, VMware -* https://blog.talosintelligence.com/2018/05/VPNFilter.html ([#53](https://github.com/timb-machine/linux-malware/issues/53)) - VPNFilter -* https://lab52.io/blog/looking-for-penquins-in-the-wild/ ([#594](https://github.com/timb-machine/linux-malware/issues/594)) - Persistence, Defense Evasion, Command and Control, Penquin, Turla, Linux -* https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf ([#100](https://github.com/timb-machine/linux-malware/issues/100)) - Cyclops Blink -* https://imgur.com/a/H7YuWuj ([#356](https://github.com/timb-machine/linux-malware/issues/356)) - SystemTen (by malwaremustdie.org) -* https://www.trendmicro.com/en_ca/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html ([#380](https://github.com/timb-machine/linux-malware/issues/380)) - Persistence, Defense Evasion, Impact, KinSing -* https://twitter.com/malwaremustd1e/status/1267068856645775360 ([#363](https://github.com/timb-machine/linux-malware/issues/363)) - DarkNexus (by malwaremustdie.org) -* https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/ ([#671](https://github.com/timb-machine/linux-malware/issues/671)) - Persistence, Defense Evasion, Command and Control, Horse Shell, wltm, Camaro Dragon, Linux, IOT, Telecomms -* https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf ([#370](https://github.com/timb-machine/linux-malware/issues/370)) - Kobalos, #bsd, #solaris, #aix +* https://twitter.com/malwaremustd1e/status/1265321238383099904 ([#317](https://github.com/timb-machine/linux-malware/issues/317)) - Gafgyt (by malwaremustdie.org) +* https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads ([#723](https://github.com/timb-machine/linux-malware/issues/723)) - Defense Evasion, Command and Control, Impact, uses:Python, attack:T1496:Resource Hijacking, attack:T1620:Reflective Code Loading, attack:T1102:Web Service, attack:T1190:Exploit Public-Facing Application, attack:T1105:Ingress Tool Transfer, attack:T1140:Deobfuscate/Decode Files or Information, attack:T1027.002:Software Packing, uses:Non-persistentStorage, PyLoose, XMRig, Linux +* https://imgur.com/a/4YxuSfV ([#79](https://github.com/timb-machine/linux-malware/issues/79)) - Cayosin (by malwaremustdie.org) +* https://blog.exatrack.com/melofee/ ([#620](https://github.com/timb-machine/linux-malware/issues/620)) - Reconnaissance, Resource Development, Execution, Persistence, Privilege Escalation, Defense Evasion, Discovery, Command and Control, attack:T1583.001:Domains, attack:T5183.004:Server, attack:T1071.001:Web Protocols, attack:T1587.001:Malware, attack:T1037.004:RC Scripts, attack:T1059.004:Unix Shell, attack:T1132.002:Non-Standard Encoding, attack:T1573.001:Symmetric Cryptography, attack:T1083:File and Directory Discovery, attack:T1592.002:Software, attack:T1564.001:Hidden Files and Directories, attack:T1562.003:Impair Command History Logging, attack:T1070.004:File Deletion, attack:T1599.001:Network Address Translation Traversal, attack:T1095:Non-Application Layer Protocol, attack:T1571:Non-Standard Port, attack:T1027.002:Software Packing, attack:T1027.007:Dynamic API Resolution, attack:T1588.001:Malware, attack:T1588.002:Tool, attack:T1057:Process Discovery, attack:T1572:Protocol Tunneling, attack:T1090:Proxy, attack:T1014:Rootkit, attack:T1608.001:Upload Malware, attack:T1608.002:Upload Tool, attack:T1082:System Information Discovery, attack:T1497.003:Time Based Evasion, Melofee, HelloBot, Linux +* https://asec.ahnlab.com/en/54647/ ([#707](https://github.com/timb-machine/linux-malware/issues/707)) - Defense Evasion, Credential Access, Command and Control, Impact, attack:T1110:Brute Force, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1496:Resource Hijacking, attack:T1498:Network Denial of Service, uses:IRC, XMRig, ShellBot, MIG Logcleaner, https://github.com/timb-machine/linux-malware/issues/154, Tsunami, Kaiten, 0x333shadow Log Cleaner, https://github.com/timb-machine/linux-malware/issues/706, ChinaZ, Linux +* https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/ ([#114](https://github.com/timb-machine/linux-malware/issues/114)) - HabitsRAT +* https://id-ransomware.blogspot.com/2021/11/polaris-ransomware.html ([#398](https://github.com/timb-machine/linux-malware/issues/398)) - Polaris +* https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt ([#320](https://github.com/timb-machine/linux-malware/issues/320)) - Gafgyt +* https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/ ([#360](https://github.com/timb-machine/linux-malware/issues/360)) - Rhombus (by malwaremustdie.org) +* https://asec.ahnlab.com/ko/55070/ ([#709](https://github.com/timb-machine/linux-malware/issues/709)) - Command and Control, Defense Evasion, https://github.com/timb-machine/linux-malware/issues/722, attack:T1036.005:Match Legitimate Name or Location, attack:T1573.001:Symmetric Encryption, uses:ProcessTreeSpoofing, Rekoobe, TINYSHELL, APT31, Linux, Solaris +* https://raw.githubusercontent.com/bg6cq/ITTS/master/security/mine/README.md ([#352](https://github.com/timb-machine/linux-malware/issues/352)) - ITTS +* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ ([#439](https://github.com/timb-machine/linux-malware/issues/439)) - Initial Access, Credential Access, Impact, attack:T1078:Valid Accounts, attack:T1100:Brute Force, attack:T1498:Network Denial of Service, attack:T1053.003:Cron, attack:T1105:Ingress Tool Transfer, attack:T1027:Obfuscated Files or Information, attack:T1014:Rootkit, attack:T1082:System Information Discovery, attack:T1003.007:Proc Filesystem, attack:T1562.001:Disable or Modify Tools, attack:T1037.004:RC Scripts, attack:T1070.004:File Deletion, attack:T1036.005:Match Legitimate Name or Location, uses:Non-persistentStorage, uses:ioctl, uses:PortHiding, https://github.com/timb-machine/linux-malware/issues/129, uses:ProcessTreeSpoofing, XorDDoS, Rooty, Linux +* https://old.reddit.com/r/LinuxMalware/comments/f26amt/new_systemten_botnet_miner_threat_now_wother/ ([#357](https://github.com/timb-machine/linux-malware/issues/357)) - SystemTen (by malwaremustdie.org) +* https://securelist.com/the-penquin-turla-2/67962/ ([#593](https://github.com/timb-machine/linux-malware/issues/593)) - Persistence, Defense Evasion, Command and Control, Penquin, Turla, Linux +* https://sansec.io/research/cronrat ([#399](https://github.com/timb-machine/linux-malware/issues/399)) - Defense Evasion, Command and Control, uses:Non-persistentStorage, attack:T1053.003:Cron, attack:T1027:Obfuscated Files or Information, attack:T1001.003:Protocol Impersonation, attack:T1036.005:Match Legitimate Name or Location, vertical:Retail, CronRAT, wltm, Linux * https://cyberplace.social/@GossiTheDog/110516069484635011 ([#703](https://github.com/timb-machine/linux-malware/issues/703)) - Resource Development, BPFDoor, [/malware/binaries/BPFDoor](../../tree/main/malware/binaries/BPFDoor), Linux -* https://blog.sekoia.io/walking-on-apt31-infrastructure-footprints/ ([#478](https://github.com/timb-machine/linux-malware/issues/478)) - https://github.com/timb-machine/linux-malware/issues/480, Rekoobe, TSH, https://github.com/timb-machine/linux-malware/issues/481, APT31, Linux -* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines ([#527](https://github.com/timb-machine/linux-malware/issues/527)) - Defense Evasion, Discovery, Execution, Persistence, Privilege Escalation, attack:T1036.005:Match Legitimate Name or Location, attack:T1059:Command and Scripting Interpreter, attack:T1569:System Service, attack:T1569.002:Service Execution, attack:T1543:Create or Modify System Process, attack:T1027:Obfuscated Files or Information, uses:Non-persistentStorage, attack:T1057:Process Discovery, attack:T1070.004:File Deletion, attack:T1546.004:Unix Shell, exploit:CVE-2021-3493, exploit:CVE-2021-4034, https://github.com/timb-machine/linux-malware/issues/510, Shikitega, [/malware/binaries/Shikitega](../../tree/main/malware/binaries/Shikitega), XMRig, Linux -* https://twitter.com/CraigHRowland/status/1422009387686645761 ([#353](https://github.com/timb-machine/linux-malware/issues/353)) - ITTS -* https://twitter.com/malwrhunterteam/status/1415403132230803460 ([#310](https://github.com/timb-machine/linux-malware/issues/310)) - HelloKitty -* https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf ([#333](https://github.com/timb-machine/linux-malware/issues/333)) - Cloud Snooper -* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ ([#468](https://github.com/timb-machine/linux-malware/issues/468)) - Persistence, Defense Evasion, uses:LD_PRELOAD, attack:T1574.006:Dynamic Linker Hijacking, attack:T1548.001:Setuid and Setgid, attack:T1556.003:Pluggable Authentication Modules, attack:T1027:Obfuscated Files or Information, attack:T1082:System Information Discovery, attack:T1562.001:Disable or Modify Tools, attack:T1003.007:Proc Filesystem, attack:T1563.001:SSH Hijacking, uses:PortHiding, uses:Non-persistentStorage, OrBit, [/malware/binaries/OrBit](../../tree/main/malware/binaries/OrBit), Linux -* https://old.reddit.com/r/LinuxMalware/comments/7qd27e/linuxss_aka_shark_hacktool_syn_scanner_wpcap/ ([#71](https://github.com/timb-machine/linux-malware/issues/71)) - SS, Shark (by malwaremustdie.org) -* https://www.intezer.com/blog/research/acbackdoor-analysis-of-a-new-multiplatform-backdoor/ ([#549](https://github.com/timb-machine/linux-malware/issues/549)) - ACBackdoor, wltm, Linux * https://twitter.com/IntezerLabs/status/1338480158249013250 ([#301](https://github.com/timb-machine/linux-malware/issues/301)) - Promotei -* https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ ([#404](https://github.com/timb-machine/linux-malware/issues/404)) - Hildegard, TeamTNT -* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 ([#803](https://github.com/timb-machine/linux-malware/issues/803)) - Defense Evasion, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, uses:Non-persistentStorage, attack:T1070.006:Timestomp, attack:T1070.004:File Deletion, BPFDoor, [/malware/binaries/BPFDoor](../../tree/main/malware/binaries/BPFDoor), wltm, Linux -* https://twitter.com/ankit_anubhav/status/1490574137370103808 ([#483](https://github.com/timb-machine/linux-malware/issues/483)) - Privilege Escalation, Defense Evasion, Persistence, Command and Control, Log4J, attack:T1548:Abuse Elevation Control Mechanism, https://github.com/timb-machine/linux-malware/issues/482, Linux -* https://unit42.paloaltonetworks.com/alloy-taurus/ ([#646](https://github.com/timb-machine/linux-malware/issues/646)) - Command and Control, attack:T1071:Application Layer Protocol, attack:T1071.001:Web Protocols, attack:T1132:Data Encoding, attack:T1132.001:Standard Encoding, attack:T1573:Encrypted Channel, attack:T1573.001:Symmetric Cryptography, Sword2033, PingBull, wltm, Alloy Taurus, GALLIUM, Soft Cell, Linux -* https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot ([#744](https://github.com/timb-machine/linux-malware/issues/744)) - Reconnaissance, Initial Access, Defense Evasion, Lateral Movement, Exfiltration, Impact, uses:Go, attack:T1133:External Remote Services, attack:T1021:Remote Services, attack:T1021.004:SSH, attack:T1078.001:Default Accounts, attack:T1110:Brute Force, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1499:Endpoint Denial of Service, attack:T1498:Network Denial of Service, attack:T1480:Execution Guardrails, Kmsdbot, Linux, IOT -* https://twitter.com/malwrhunterteam/status/1559636227485319168 ([#500](https://github.com/timb-machine/linux-malware/issues/500)) - Impact, REvil, wltm, Linux -* https://asec.ahnlab.com/en/51908/ ([#650](https://github.com/timb-machine/linux-malware/issues/650)) - Impact, Defense Evasion, uses:ProcessTreeSpoofingBindMountProc, https://github.com/timb-machine/linux-malware/issues/550, KONO DIO DA, XMRig, Linux -* https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html ([#614](https://github.com/timb-machine/linux-malware/issues/614)) - Command and Control, Persistence, SysUpdate, IronTiger -* https://permiso.io/blog/s/legion-mass-spam-attacks-in-aws/ ([#681](https://github.com/timb-machine/linux-malware/issues/681)) - Persistence, Impact, Legion, wltm, Linux, Cloud hosted services -* https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass ([#692](https://github.com/timb-machine/linux-malware/issues/692)) - Execution, Persistence, Defense Evasion, Credential Access, Command and Control, attack:T1552:Unsecured Credentials, attack:T1212:Exploitation for Credential Access, attack:T1562:Impair Defenses, attack:T1580:Cloud Infrastructure Discovery, attack:T1525:Implant Internal Image, attack:T1102:Web Service, UNC3886, Linux, VMware -* https://www.group-ib.com/blog/krasue-rat/ ([#797](https://github.com/timb-machine/linux-malware/issues/797)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, uses:AbnormalSignal, attack:T1071:Application Layer Protocol, uses:RTSP, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1205:Traffic Signaling, Krasue, Diamorphine, https://github.com/timb-machine/linux-malware/issues/217, Suterusu, https://github.com/timb-machine/linux-malware/issues/491, Rooty, https://github.com/timb-machine/linux-malware/issues/440, Linux -* https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/ ([#110](https://github.com/timb-machine/linux-malware/issues/110)) - b1txor20 -* https://old.reddit.com/r/LinuxMalware/comments/gdte0m/linuxkaiji/ ([#340](https://github.com/timb-machine/linux-malware/issues/340)) - Kaiji (by malwaremustdie.org) -* https://asec.ahnlab.com/en/55229/ ([#722](https://github.com/timb-machine/linux-malware/issues/722)) - Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/709, attack:T1036.005:Match Legitimate Name or Location, attack:T1573.001:Symmetric Encryption, uses:ProcessTreeSpoofing, Rekoobe, TINYSHELL, APT31, Linux, Solaris -* https://imgur.com/a/vS7xV ([#75](https://github.com/timb-machine/linux-malware/issues/75)) - CarpeDiem (by malwaremustdie.org) -* https://www.bitdefender.com/files/News/CaseStudies/study/319/Bitdefender-PR-Whitepaper-DarkNexus-creat4349-en-EN-interactive.pdf ([#518](https://github.com/timb-machine/linux-malware/issues/518)) - DarkNexus, Linux -* https://imgur.com/a/MuHSZtC ([#81](https://github.com/timb-machine/linux-malware/issues/81)) - Mandibule (by malwaremustdie.org) -* https://imgur.com/a/eBF7Mqe ([#76](https://github.com/timb-machine/linux-malware/issues/76)) - Haiduc (by malwaremustdie.org) (by malwaremustdie.org) +* https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar ([#375](https://github.com/timb-machine/linux-malware/issues/375)) - PRISM +* https://asec.ahnlab.com/en/50316/ ([#621](https://github.com/timb-machine/linux-malware/issues/621)) - Defense Evasion, Discovery, Command and Control, Impact, attack:T1036.005:Match Legitimate Name or Location, attack:T1499:Endpoint Denial of Service, attack:T1082:System Information Discovery, attack:T1095:Non-Application Layer Protocol, uses:ProcessTreeSpoofing, uses:Non-persistentStorage, uses:RedirectionToNull, DDoSClient, ChinaZ, Linux +* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf ([#808](https://github.com/timb-machine/linux-malware/issues/808)) - Execution, Persistence, Discovery, Collection, Command and Control, Exfiltration, attack:T1574.006:Dynamic Linker, attack:T1059.004:Unix Shell, attack:T1053.003:Cron, attack:T1559:Inter-Process Communication, attack:T1205.001:Port Knocking, attack:T1001.003:Protocol Impersonation, attack:T1573.002:Asymmetric Cryptography, attack:T1572:Protocol Tunneling, attack:T1560.002:Archive via Library, attack:T1041:Exfiltration Over C2 Channel, attack:T1005:Data from Local System, attack:T1124:System Time Discovery, attack:T1518:Software Discovery, attack:T1071.Application Layer Protocol, uses:BPF, uses:Non-persistentStorage, Pygmy Goat, EarthWorm, Earthwrom, wltm, Linux, Enterprise with satellite facilities * https://netadr.github.io/blog/a-quick-glimpse-sbz/ ([#596](https://github.com/timb-machine/linux-malware/issues/596)) - Persistence, Defense Evasion, attack:T1027:Obfuscated Files or Information, SBZ, wltm, Equation Group, Solaris -* https://raw.githubusercontent.com/bg6cq/ITTS/master/security/mine/README.md ([#352](https://github.com/timb-machine/linux-malware/issues/352)) - ITTS +* https://imgur.com/a/a6RaZMP ([#87](https://github.com/timb-machine/linux-malware/issues/87)) - Honda Car's Panel's Rootkit from China #Android (by malwaremustdie.org) +* https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ ([#339](https://github.com/timb-machine/linux-malware/issues/339)) - Kaiji +* https://www.stormshield.com/news/orbit-analysis-of-a-linux-dedicated-malware/ ([#601](https://github.com/timb-machine/linux-malware/issues/601)) - Persistence, Privilege Escalation, OrBit, [/malware/binaries/OrBit](../../tree/main/malware/binaries/OrBit), Linux +* https://twitter.com/CraigHRowland/status/1523266585133457408 ([#424](https://github.com/timb-machine/linux-malware/issues/424)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/418, DecisiveArchitect, Linux +* https://imgur.com/a/y5BRx ([#86](https://github.com/timb-machine/linux-malware/issues/86)) - r57shell (by malwaremustdie.org) +* http://www.cverc.org.cn/head/zhaiyao/news20220218-1.htm ([#113](https://github.com/timb-machine/linux-malware/issues/113)) - NOPEN +* https://www.mandiant.com/resources/unc3524-eye-spy-email ([#414](https://github.com/timb-machine/linux-malware/issues/414)) - Resource Development, Persistence, Defense Evasion, Lateral Movement, attack:T1021.004:SSH, attack:T1027:Obfuscated Files or Information, attack:T1037.004:RC Scripts, attack:T1584:Compromise Infrastructure, QUIETEXIT, unc3524, Linux, IOT, Internal enterprise services, Device agent/gateway deployment +* https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors ([#729](https://github.com/timb-machine/linux-malware/issues/729)) - Persistence, Command and Control, SEASPY, https://github.com/timb-machine/linux-malware/issues/730, SUBMARINE, https://github.com/timb-machine/linux-malware/issues/731, Linux +* https://twitter.com/IntezerLabs/status/1291355808811409408 ([#346](https://github.com/timb-machine/linux-malware/issues/346)) - Carbanak +* https://imgur.com/a/57uOiTu ([#80](https://github.com/timb-machine/linux-malware/issues/80)) - DDoSMan (by malwaremustdie.org) +* https://www.virustotal.com/gui/file/bf3ebc294870a6e743f021f4e18be75810149a1004b8d7c8a1e91f35562db3f5/detection ([#644](https://github.com/timb-machine/linux-malware/issues/644)) - Impact, attack:T1486:Data Encrypted for Impact, LockBit, [/malware/binaries/Multios.Ransomware.Lockbit](../../tree/main/malware/binaries/Multios.Ransomware.Lockbit), Linux +* https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/ ([#319](https://github.com/timb-machine/linux-malware/issues/319)) - Gafgyt +* https://twitter.com/xnand_/status/1676336329985077249 ([#710](https://github.com/timb-machine/linux-malware/issues/710)) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, https://github.com/timb-machine/linux-malware/issues/711, https://github.com/timb-machine/linux-malware/issues/724, https://github.com/timb-machine/linux-malware/issues/814, Linux +* https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-docker-control-api-and-community-image-abused-to-deliver-cryptocurrency-mining-malware/ ([#344](https://github.com/timb-machine/linux-malware/issues/344)) - NGrok +* https://twitter.com/malwaremustd1e/status/1379028201075187716 ([#365](https://github.com/timb-machine/linux-malware/issues/365)) - DGAbot (by malwaremustdie.org) +* https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/ ([#471](https://github.com/timb-machine/linux-malware/issues/471)) - HiddenWasp, Linux +* https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoing-wordpress-malware-campaign.html ([#637](https://github.com/timb-machine/linux-malware/issues/637)) - Initial Access, Balada, Linux, Hosting, Consumer, Cloud hosted services * https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack ([#715](https://github.com/timb-machine/linux-malware/issues/715)) - Reconnaissance, Initial Access, Execution, Persistence, Defense Evasion, Credential Access, Discovery, Command and Control, Impact, attack:T1525:Implant Internal Image, attack:T1595:Active Scanning, attack:T1496:Resource Hijacking, attack:T1613:Container and Resource Discovery, attack:T1190:Exploit Public-Facing Application, attack:T1059:Command and Scripting Interpreter, attack:T1610:Deploy Container, attack:T1222:File and Directory Permissions Modification, attack:T1036:Masquerading, attack:T1132:Data Encoding, attack:T1552.005:Cloud Instance Metadata API, attack:T1082:System Information Discovery, attack:T1071.001:Web Protocols, attack:T1090.003:Multi-hop Proxy, Tsunami, TeamTNT, Linux -* https://conference.hitb.org/hitbsecconf2017ams/materials/D2T4%20-%20Emmanuel%20Gadaix%20-%20A%20Surprise%20Encounter%20With%20a%20Telco%20APT.pdf ([#551](https://github.com/timb-machine/linux-malware/issues/551)) - Defense Evasion, Collection, Command and Control, Impact, vertical:Telecomms, uses:Perl, Plexing Eagle, Solaris, Telecomms, Internal specialist services -* https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware ([#639](https://github.com/timb-machine/linux-malware/issues/639)) - Command and Control, AP36, Transparent Tribe, Poseidon, Linux -* https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ ([#750](https://github.com/timb-machine/linux-malware/issues/750)) - Initial Access, Persistence, Defense Evasion, Command and Control, Impact, attack:T1547.006:Kernel Modules and Extensions, SkidMap, Linux -* https://mp-weixin-qq-com.translate.goog/s/v2wiJe-YPG0ng87ffBB9FQ?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en ([#580](https://github.com/timb-machine/linux-malware/issues/580)) - Command and Control, Torii, Linux +* https://twitter.com/malwaremustd1e/status/1251758225919115264 ([#361](https://github.com/timb-machine/linux-malware/issues/361)) - Persistence, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux +* https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ ([#314](https://github.com/timb-machine/linux-malware/issues/314)) - Gafgyt +* https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor ([#547](https://github.com/timb-machine/linux-malware/issues/547)) - Command and Control, Exfiltration, uses:LD_PRELOAD, wltm, Linux +* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware ([#586](https://github.com/timb-machine/linux-malware/issues/586)) - Reconnaissance, Initial Access, Defense Evasion, Lateral Movement, Command and Control, Exfiltration, Impact, uses:Go, attack:T1133:External Remote Services, attack:T1021:Remote Services, attack:T1021.004:SSH, attack:T1078.001:Default Accounts, attack:T1110:Brute Force, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1499:Endpoint Denial of Service, attack:T1498:Network Denial of Service, attack:T1496:Resource Hijacking, uses:CrossCompiled, Kmsdbot, Linux, IOT +* https://imgur.com/a/53f29O9 ([#61](https://github.com/timb-machine/linux-malware/issues/61)) - Mirai (by malwaremustdie.org) +* https://old.reddit.com/r/LinuxMalware/comments/7qd27e/linuxss_aka_shark_hacktool_syn_scanner_wpcap/ ([#71](https://github.com/timb-machine/linux-malware/issues/71)) - SS, Shark (by malwaremustdie.org) +* https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign ([#727](https://github.com/timb-machine/linux-malware/issues/727)) - Initial Access, Command and Control, Impact, XMRig, Linux +* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ ([#778](https://github.com/timb-machine/linux-malware/issues/778)) - Reconnaissance, Initial Access, Persistence, Privilege Escalation, Defense Evasion, Impact, attack:T1496:Resource Hijacking, uses:k8s, attack:T1140:Deobfuscate/Decode Files or Information, uses:Python, attack:T1611:Escape to Host, attack:T1562.008:Disable or Modify Cloud Logs, attack:T1027.004:Compile After Delivery, attack:T1547.006:Kernel Modules and Extensions, attack:T1574.006:Dynamic Linker Hijacking, uses:ProcessTreeSpoofing, attack:T1190:Exploit Public-Facing Application, attack:T1595.002:Vulnerability Scanning, uses:ModifyServerShell, delivery:Redis, uses:Redis, XMRig, Diamorphine, libprocesshider, Pnscan, Zgrab, Masscan, Kiss-A-Dog, TeamTNT, Linux, Cloud hosted services +* https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ ([#470](https://github.com/timb-machine/linux-malware/issues/470)) - Lightning, [/malware/binaries/Lightning](../../tree/main/malware/binaries/Lightning), Linux +* https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/ ([#65](https://github.com/timb-machine/linux-malware/issues/65)) - Qemu, https://github.com/timb-machine/linux-malware/issues/134, LightBasin, UNC1945 +* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ ([#643](https://github.com/timb-machine/linux-malware/issues/643)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, attack:T1573:Encrypted Channel, attack:T1106:Native API, attack:T1059.004: Unix Shell, attack:T1070.004:File Deletion, attack:T1036.004:Masquerade Task or Service, attack:T1070.006:Timestomp, uses:RedirectionToNull, uses:Non-persistentStorage, attack:T1036.005:Match Legitimate Name or Location, uses:ProcessTreeSpoofing, attack:T1562.004:Disable or Modify System Firewall, BPFDoor, [/malware/binaries/BPFDoor](../../tree/main/malware/binaries/BPFDoor), Unix.Backdoor.RedMenshen, Linux, Solaris +* https://asec.ahnlab.com/en/51908/ ([#650](https://github.com/timb-machine/linux-malware/issues/650)) - Impact, Defense Evasion, uses:ProcessTreeSpoofingBindMountProc, https://github.com/timb-machine/linux-malware/issues/550, KONO DIO DA, XMRig, Linux +* https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/ ([#56](https://github.com/timb-machine/linux-malware/issues/56)) - LemonDuck * https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/ ([#306](https://github.com/timb-machine/linux-malware/issues/306)) - QNAPCrypt, eCh0raix -* https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/ ([#378](https://github.com/timb-machine/linux-malware/issues/378)) - #cobaltstrike, VermilionStrike -* https://twitter.com/IntezerLabs/status/1300403461809491969 ([#347](https://github.com/timb-machine/linux-malware/issues/347)) - Dalcs -* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf ([#808](https://github.com/timb-machine/linux-malware/issues/808)) - Execution, Persistence, Discovery, Collection, Command and Control, Exfiltration, attack:T1574.006:Dynamic Linker, attack:T1059.004:Unix Shell, attack:T1053.003:Cron, attack:T1559:Inter-Process Communication, attack:T1205.001:Port Knocking, attack:T1001.003:Protocol Impersonation, attack:T1573.002:Asymmetric Cryptography, attack:T1572:Protocol Tunneling, attack:T1560.002:Archive via Library, attack:T1041:Exfiltration Over C2 Channel, attack:T1005:Data from Local System, attack:T1124:System Time Discovery, attack:T1518:Software Discovery, attack:T1071.Application Layer Protocol, uses:BPF, uses:Non-persistentStorage, Pygmy Goat, EarthWorm, Earthwrom, wltm, Linux, Enterprise with satellite facilities -* https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/ ([#410](https://github.com/timb-machine/linux-malware/issues/410)) - Initial Access, Persistence, Defense Evasion, Lateral Movement, Impact, LemonDuck, Linux, Cloud hosted services, Device application sandboxing -* https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ ([#117](https://github.com/timb-machine/linux-malware/issues/117)) - AcidRain -* https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/ ([#52](https://github.com/timb-machine/linux-malware/issues/52)) - GodLua -* https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ ([#322](https://github.com/timb-machine/linux-malware/issues/322)) - Turian -* https://vulncheck.com/blog/fake-repos-deliver-malicious-implant ([#686](https://github.com/timb-machine/linux-malware/issues/686)) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, Linux -* https://www.mandiant.com/resources/unc2891-overview ([#112](https://github.com/timb-machine/linux-malware/issues/112)) - Lateral Movement, Credential Access, Execution, Defense Evasion, Persistence, attack:T1021.004:SSH, attack:T1003.008:/etc/passwd and /etc/shadow, attack:T1552.003:Bash History, attack:T1552.004:Private Keys, attack:T1556.003:Pluggable Authentication Modules, attack:T1053.001:At (Linux), attack:T1059.004:Unix Shell, attack:T1014:Rootkit, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1548.001:Setuid and Setgid, attack:T1543.002:Systemd Service, attack:T1547.006:Kernel Modules and Extensions, https://github.com/timb-machine/linux-malware/issues/134, TINYSHELL, SLAPSTICK, CAKETAP, WIPERIGHT, MIG Logcleaner, https://github.com/timb-machine/linux-malware/issues/154, BINBASH, UNC2891, UNC1945, LightBasin, Linux, Solaris, Banking -* https://igor-blue.github.io/2021/03/24/apt1.html ([#302](https://github.com/timb-machine/linux-malware/issues/302)) +* https://haxrob.net/fastcash-for-linux/ ([#815](https://github.com/timb-machine/linux-malware/issues/815)) - Persistence, Privilege Escalation, Defense Evasion, Impact, attack:T1565.002:Transmitted Data Manipulation, attack:T1055:Process Injection, attack:T1055.009:Proc Memory, attack:T1564.001:Hidden Files and Directories, attack:T1574:Hijack Execution Flow, attack:T1567:Financial Theft, attack:T1027.002:Software Packing, uses:Non-persistentStorage, attack:T1027.013:Encrypted/Encoded File, FastCash, https://github.com/timb-machine/linux-malware/issues/407, https://github.com/timb-machine/linux-malware/issues/312, https://github.com/timb-machine/linux-malware/issues/135, wltm, Linux, Banking, Internal specialist services +* https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/ ([#656](https://github.com/timb-machine/linux-malware/issues/656)) - Impact, attack:T1486:Data Encrypted for Impact, Cl0p, wltm, Linux, Internal enterprise services +* https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/ ([#809](https://github.com/timb-machine/linux-malware/issues/809)) - Initial Access, Execution, Persistence, Privilege Escalation, Credential Access, Discovery, Command and Control, AIX, Internal enterprise services +* https://www.group-ib.com/blog/krasue-rat/ ([#797](https://github.com/timb-machine/linux-malware/issues/797)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, uses:AbnormalSignal, attack:T1071:Application Layer Protocol, uses:RTSP, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1205:Traffic Signaling, Krasue, Diamorphine, https://github.com/timb-machine/linux-malware/issues/217, Suterusu, https://github.com/timb-machine/linux-malware/issues/491, Rooty, https://github.com/timb-machine/linux-malware/issues/440, Linux +* https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version ([#309](https://github.com/timb-machine/linux-malware/issues/309)) - REvil +* https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html ([#698](https://github.com/timb-machine/linux-malware/issues/698)) - Impact, BlackSuit, Linux +* https://imgur.com/a/8mFGk ([#70](https://github.com/timb-machine/linux-malware/issues/70)) - httpsd (by malwaremustdie.org) +* https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet ([#623](https://github.com/timb-machine/linux-malware/issues/623)) - Initial Access, Defense Evasion, Command and Control, Impact, attack:T1105:Ingress Tool Transfer, attack:T1071.001:Web Protocols, attack:T1071.002:File Transfer Protocol, attack:T1499:Endpoint Denial of Service, attack:T1480:Execution Guardrails, HinataBot, Linux, Consumer +* https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies ([#758](https://github.com/timb-machine/linux-malware/issues/758)) - Persistence, Defense Evasion, Impact, attack:T1486:Data Encrypted for Impact, Gwisin, Spirit, Linux, VMware +* https://www.trendmicro.com/en_ca/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html ([#380](https://github.com/timb-machine/linux-malware/issues/380)) - Persistence, Defense Evasion, Impact, KinSing +* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered ([#693](https://github.com/timb-machine/linux-malware/issues/693)) - Persistence, Defense Evasion, Discovery, Command and Control, attack:T1037.004:RC Scripts, attack:T1543.002:Systemd Service , attack:T1036:Masquerading: Match Legitimate Name or Location , attack:T1070.004:File Deletion , attack:T1222:File and Directory Permissions Modification , attack:T1564.001:Hidden Files and Directories , attack:T1082:System Information Discovery , attack:T1057:Process Discovery , attack:T1071.004:DNS, Sotdas, Linux +* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ ([#90](https://github.com/timb-machine/linux-malware/issues/90)) - Impact, uses:k8s, uses:Non-persistentStorage, attack:T1190:Exploit Public-Facing Application, attack:T1505.003:Web Shell, attack:T1105:Ingress Tool Transfer, attack:T1053.003:Cron, attack:T1037.004:RC Scripts, Muhstik, wltm +* https://sysdig.com/blog/ssh-snake/ ([#801](https://github.com/timb-machine/linux-malware/issues/801)) - Defense Evasion, Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, attack:T1027:Obfuscated Files or Information, https://github.com/timb-machine/linux-malware/issues/791, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services +* https://twitter.com/billyleonard/status/1417910729005490177 ([#69](https://github.com/timb-machine/linux-malware/issues/69)) - https://github.com/timb-machine/linux-malware/issues/329, https://github.com/timb-machine/linux-malware/issues/131, Zirconium, APT31 +* https://www.cisa.gov/news-events/analysis-reports/ar23-209b ([#730](https://github.com/timb-machine/linux-malware/issues/730)) - Command and Control, https://github.com/timb-machine/linux-malware/issues/729, SEASPY, wltm, Linux +* https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan ([#732](https://github.com/timb-machine/linux-malware/issues/732)) - Persistence, Defense Evasion, Command and Control, Linux, Hosting +* https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/ ([#311](https://github.com/timb-machine/linux-malware/issues/311)) - HelloKitty +* https://darrenmartyn.ie/2021/11/29/analysis-of-the-lib__mdma-so-1-userland-rootkit/ ([#401](https://github.com/timb-machine/linux-malware/issues/401)) - Persistence, Defense Evasion, https://github.com/timb-machine/linux-malware/issues/530, lib__mdma +* https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group ([#544](https://github.com/timb-machine/linux-malware/issues/544)) - Initial Access, Discovery, Lateral Movement, Collection, Impact, attack:T1486:Data Encrypted for Impact, Cheerscrypt, Night Sky, Emperor Dragonfly, Bronze Starlight, Linux, VMware +* https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ ([#618](https://github.com/timb-machine/linux-malware/issues/618)) - Persistence, Defense Evasion, uses:Go, attack:T1554:Compromise Client Software Binary, attack:T1546.004:Unix Shell Configuration Modification, attack:T1053.003:Cron, attack:T1543.002:Systemd Service, attack:T1037:Boot or Logon Initialization Scripts, Chaos, [/malware/binaries/Chaos](../../tree/main/malware/binaries/Chaos), Linux +* https://cybersecurity.att.com/blogs/labs-research/internet-of-termites ([#517](https://github.com/timb-machine/linux-malware/issues/517)) - Command and Control, Exfiltration, Termite, EarthWorm, Earthwrom, Linux +* https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html ([#321](https://github.com/timb-machine/linux-malware/issues/321)) - Execution, Persistence, Privilege Escalation, Command and Control, Exfiltration, Impact, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1573:Encrypted Channel, attack:T1071.001:Web Protocols, attack:T1053.003:Cron, attack:T1486:Data Encrypted for Impact, DarkSide, UNC2628, UNC2659, UNC2465, Linux +* https://github.com/akamai/akamai-security-research/tree/main/malware/panchan ([#477](https://github.com/timb-machine/linux-malware/issues/477)) - Pan-chan, [/malware/binaries/pan-chan](../../tree/main/malware/binaries/pan-chan), Linux +* https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ ([#119](https://github.com/timb-machine/linux-malware/issues/119)) - Impact, attack:T1485:Data Destruction, attack:T1053.003:Cron, attack:T1016:System Network Configuration Discovery, attack:T1110.003:Password Spraying, attack:T1490:Inhibit System Recovery, attack:T1027:Obfuscated Files or Information, attack:T1561.001:Disk Content Wipe, attack:T1529:System Shutdown/Reboot, attack:T1007:System Service Discovery, attack:T1021.004:SSH, Industroyer, ORCSHRED, SOLOSHRED, AWFULSHRED, Sandworm, Linux, Solaris, Industrial +* https://imgur.com/a/eBF7Mqe ([#76](https://github.com/timb-machine/linux-malware/issues/76)) - Haiduc (by malwaremustdie.org) (by malwaremustdie.org) +* https://asec.ahnlab.com/en/49769/ ([#624](https://github.com/timb-machine/linux-malware/issues/624)) - Initial Access, Command and Control, Impact, attack:T1078:Valid Accounts, attack:T1071.001:Web Protocols, attack:T1499:Endpoint Denial of Service, attack:T1105:Ingress Tool Transfer, ShellBot, Linux, Consumer +* https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot ([#744](https://github.com/timb-machine/linux-malware/issues/744)) - Reconnaissance, Initial Access, Defense Evasion, Lateral Movement, Exfiltration, Impact, uses:Go, attack:T1133:External Remote Services, attack:T1021:Remote Services, attack:T1021.004:SSH, attack:T1078.001:Default Accounts, attack:T1110:Brute Force, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1499:Endpoint Denial of Service, attack:T1498:Network Denial of Service, attack:T1480:Execution Guardrails, Kmsdbot, Linux, IOT +* https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf ([#407](https://github.com/timb-machine/linux-malware/issues/407)) - Impact, attack:T1567:Financial Theft, https://github.com/timb-machine/linux-malware/issues/135, FastCash, HiddenCobra, Lazarus, APT38, AIX, Banking, Internal specialist services +* https://x.com/haxrob/status/1762821513680732222 ([#810](https://github.com/timb-machine/linux-malware/issues/810)) - Command and Control, attack:T1071:Application Layer Protocol, attack:T1572:Protocol Tunneling, GTPDOOR, wltm, Linux, Telecomms, Internal specialist services +* https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf ([#338](https://github.com/timb-machine/linux-malware/issues/338)) - Persistence, Defense Evasion, Command and Control, Penguin, Penquin_x64, Turla, Linux +* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf ([#99](https://github.com/timb-machine/linux-malware/issues/99)) - Persistence, Command and Control, attack:T1205:Traffic Signaling, attack:T1205.002:Socket Filters, attack:T1573.002:Symmetric Cryptography, attack:T1573.002:Asymmetric Cryptography, attack:T1082:System Information Discovery, attack:T1547.006:Kernel Modules and Extensions, Bvp47, dewdrop, tipoff, StoicSurgeon, Incision, Equation Group, Linux, Solaris, FreeBSD +* https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf ([#100](https://github.com/timb-machine/linux-malware/issues/100)) - Cyclops Blink +* https://lab52.io/blog/looking-for-penquins-in-the-wild/ ([#594](https://github.com/timb-machine/linux-malware/issues/594)) - Persistence, Defense Evasion, Command and Control, Penquin, Turla, Linux +* https://www.virusbulletin.com/virusbulletin/2014/07/mayhem-hidden-threat-nix-web-servers ([#382](https://github.com/timb-machine/linux-malware/issues/382)) - Mayhem +* https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/ ([#329](https://github.com/timb-machine/linux-malware/issues/329)) - Zirconium, APT31 +* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ ([#64](https://github.com/timb-machine/linux-malware/issues/64)) - Defense Evasion, Discovery, Lateral Movement, Collection, Command and Control, Impact, attack:T1602.001:SNMP (MIB Dump), attack:T1070.002:Clear Linux or Mac System Logs, attack:T1046:Network Service Discovery, attack:T1018:Remote System Discovery, attack:T1110.002:Password Cracking, attack:T1110.003:Password Spraying, attack:T1555:Credentials from Password Stores, attack:T1040:Packet Capture, attack:T1071.001:Web Protocols, attack:T1071.002:File Transfer Protocols, attack:T1071.004:DNS, attack:T1021.002:SMB/Windows Admin Shares, attack:T1021.004:SSH, attack:T1021.005:VNC, attack:T1590:Gather Victim Network Information, attack:T1590.002:DNS, attack:T1027.002:Software Packing, attack:T1001:Data Obfuscation, attack:T1070.004:File Deletion, https://github.com/timb-machine/linux-malware/issues/134, STEELCORGI, netcat, unixcat, netcat-ssl, telnet, traceroute, traceroute-tcp, traceroute-tcpfin, traceroute-udp, traceroute-icmp, traceroute-all, tftpd, HEAD, GET, sniff, nfsshell, ssh, ricochet, axfr, whois, scanip, sctpscan, sdporn, rmiexec, arpmap, whois, who, ahost, resolv, adig, axfr, asrv, aspf, periscope, scanip.sh, aliveips.sh, brutus.pl, enum4linux.pl, mikro, ss, sshu, onesixtyone, snmpgrab, snmpcheck, ciscopush, mikrotik-client, bleach, clean, ssleak, decrypt-vpn, pogo, pogo2, sid-force, sshock, decrypt-cisco, decrypt-vnc, decrypt-cvs, LightBasin, UNC1945, Linux +* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ ([#441](https://github.com/timb-machine/linux-malware/issues/441)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris +* https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 ([#702](https://github.com/timb-machine/linux-malware/issues/702)) - Initial Access, Discovery, Command and Control, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1057:Process Discovery, attack:T1498:Network Denial of Service, Condi, Linux, IOT +* https://imgur.com/a/2zRCt ([#318](https://github.com/timb-machine/linux-malware/issues/318)) - Gafgyt (by malwaremustdie.org) +* https://github.com/blackberry/threat-research-and-intelligence/raw/main/Talks/2023-01-30%20-%20SANS%20Cyber%20Threat%20Intelligence%20Summit%20%26%20Training%202023/Pedro%20Drimel%2C%20Jose%20Luis%20Sanchez%20Martinez%20-%20Practical%20CTI%20Analysis%20Over%202022%20ITW%20Linux%20Implants.pdf ([#613](https://github.com/timb-machine/linux-malware/issues/613)) +* https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html ([#334](https://github.com/timb-machine/linux-malware/issues/334)) - TSCookie +* https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ ([#524](https://github.com/timb-machine/linux-malware/issues/524)) - Initial Access, Execution, Persistence, Discovery, Lateral Movement, Command and Control, Exfiltration, uses:Go, attack:T1573:Encrypted Channel, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1021.004:SSH, attack:T1057:Process Discovery, attack:T1552.004:Private Keys, attack:T1190:Exploit Public-Facing Application, Chaos, [/malware/binaries/Chaos](../../tree/main/malware/binaries/Chaos), Linux +* https://blog.polyswarm.io/deadbolt-ransomware ([#577](https://github.com/timb-machine/linux-malware/issues/577)) - Impact, Deadbolt, Linux, Consumer +* http://it.rising.com.cn/fanglesuo/19851.html ([#96](https://github.com/timb-machine/linux-malware/issues/96)) - SFile +* https://twitter.com/ankit_anubhav/status/1490574137370103808 ([#483](https://github.com/timb-machine/linux-malware/issues/483)) - Privilege Escalation, Defense Evasion, Persistence, Command and Control, Log4J, attack:T1548:Abuse Elevation Control Mechanism, https://github.com/timb-machine/linux-malware/issues/482, Linux +* https://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/ ([#348](https://github.com/timb-machine/linux-malware/issues/348)) - Rakos +* https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/ ([#307](https://github.com/timb-machine/linux-malware/issues/307)) - QNAPCrypt, eCh0raix +* https://twitter.com/ESETresearch/status/1454100591261667329?s=20 ([#390](https://github.com/timb-machine/linux-malware/issues/390)) - Hive +* https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability ([#572](https://github.com/timb-machine/linux-malware/issues/572)) - Persistence, Impact, Mirai, RAR1Ransom, GuardMiner, Linux +* https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability ([#337](https://github.com/timb-machine/linux-malware/issues/337)) - Impact, Persistence, Impact, KinSing +* https://imgur.com/a/H7YuWuj ([#356](https://github.com/timb-machine/linux-malware/issues/356)) - SystemTen (by malwaremustdie.org) +* https://www.cadosecurity.com/redis-p2pinfect/ ([#741](https://github.com/timb-machine/linux-malware/issues/741)) - Initial Access, Linux +* https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ ([#297](https://github.com/timb-machine/linux-malware/issues/297)) - FreakOut +* https://securityboulevard.com/2021/04/detect-c2-redxor-with-state-based-functionality/ ([#548](https://github.com/timb-machine/linux-malware/issues/548)) - Command and Control, Exfiltration, https://github.com/timb-machine/linux-malware/issues/325, RedXOR, Linux ### Malware samples #### Malware binaries -* https://bazaar.abuse.ch/browse/signature/Mirai/ ([#127](https://github.com/timb-machine/linux-malware/issues/127)) - Mirai, [/malware/binaries/Unix.Exploit.Mirai](../../tree/main/malware/binaries/Unix.Exploit.Mirai), [/malware/binaries/Unix.Dropper.Mirai](../../tree/main/malware/binaries/Unix.Dropper.Mirai), [/malware/binaries/Unix.Trojan.Mirai](../../tree/main/malware/binaries/Unix.Trojan.Mirai) -* https://bazaar.abuse.ch/browse/tag/elf/ ([#122](https://github.com/timb-machine/linux-malware/issues/122)) -* https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ ([#662](https://github.com/timb-machine/linux-malware/issues/662)) - Persistence, Defense Evasion, attack:T1053.003:Cron, uses:Non-persistentStorage, uses:RedirectionToNull, https://github.com/timb-machine/linux-malware/issues/661, SystemBC, [/malware/binaries/SystemBC](../../tree/main/malware/binaries/SystemBC), Linux -* https://github.com/x0rz/EQGRP ([#138](https://github.com/timb-machine/linux-malware/issues/138)) -* https://samples.vx-underground.org/APTs/2021/2021.10.11/ ([#409](https://github.com/timb-machine/linux-malware/issues/409)) - FontOnLake, [/malware/binaries/FontOnLake](../../tree/main/malware/binaries/FontOnLake), Linux +* https://bazaar.abuse.ch/browse/signature/Gafgyt/ ([#128](https://github.com/timb-machine/linux-malware/issues/128)) - Gafgyt, [/malware/binaries/Unix.Trojan.Gafgyt](../../tree/main/malware/binaries/Unix.Trojan.Gafgyt) +* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection ([#418](https://github.com/timb-machine/linux-malware/issues/418)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/419, https://github.com/timb-machine/linux-malware/issues/424, https://github.com/timb-machine/linux-malware/issues/425, https://github.com/timb-machine/linux-malware/issues/426, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor client?, [/malware/binaries/BPFDoor/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c.elf.x86_64](../../blob/main/malware/binaries/BPFDoor/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c.elf.x86_64), Unix.Backdoor.RedMenshen, Tricephalic Hellkeeper, JustForFun, https://www.hybrid-analysis.com/sample/591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78, DecisiveArchitect, Linux +* https://github.com/eset/malware-ioc/tree/master/rakos ([#132](https://github.com/timb-machine/linux-malware/issues/132)) - Rakos * https://github.com/darrenmartyn/malware_samples ([#530](https://github.com/timb-machine/linux-malware/issues/530)) - Execution, Persistence, Defense Evasion, Discovery, uses:ProcessTreeSpoofing, uses:RedirectionToNull, attack:T1546.004:Unix Shell, attack:T1574.006:Dynamic Linker Hijacking, attack:T1057:Process Discovery, attack:T1036.005:Match Legitimate Name or Location, lib__mdma, Linux -* https://www.virustotal.com/gui/file/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2/detection ([#131](https://github.com/timb-machine/linux-malware/issues/131)) - SoWaT, [/malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips](../../blob/main/malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips), APT31, Zirconium -* https://tria.ge/s?q=tag%3alinux ([#121](https://github.com/timb-machine/linux-malware/issues/121)) -* https://bazaar.abuse.ch/sample/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2/ ([#140](https://github.com/timb-machine/linux-malware/issues/140)) - SoWaT, [/malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips](../../blob/main/malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips), APT31, Zirconium -* https://github.com/MalwareSamples/Linux-Malware-Samples ([#123](https://github.com/timb-machine/linux-malware/issues/123)) -* https://bazaar.abuse.ch/sample/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9/ ([#139](https://github.com/timb-machine/linux-malware/issues/139)) - Polaris, [/malware/binaries/Unix.Ransomware.Polaris/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9.elf.x86_64](../../blob/main/malware/binaries/Unix.Ransomware.Polaris/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9.elf.x86_64) -* https://github.com/hardenedvault/bootkit-samples ([#103](https://github.com/timb-machine/linux-malware/issues/103)) -* https://www.virustotal.com/gui/file/3b7a06c53ec0f2ce7b9de4cae9e6e765fd18dc1f2ff522c0ccd9c8c3f9e79532/detection ([#141](https://github.com/timb-machine/linux-malware/issues/141)) - Linikatz +* https://bazaar.abuse.ch/browse/tag/Symbiote/ ([#460](https://github.com/timb-machine/linux-malware/issues/460)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/452, attack:T1205:Traffic Signaling, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1556.003:Pluggable Authentication Modules, attack:T1574.006:Dynamic Linker Hijacking, [/malware/binaries/Symbiote](../../tree/main/malware/binaries/Symbiote), Symbiote, Linux +* https://github.com/eset/malware-ioc/tree/master/kobalos ([#137](https://github.com/timb-machine/linux-malware/issues/137)) - Kobalos +* https://github.com/Caprico1/kinsing ([#454](https://github.com/timb-machine/linux-malware/issues/454)) - Persistence, Impact, KinSing, Linux * https://twitter.com/nunohaien/status/1261281420791742464 ([#125](https://github.com/timb-machine/linux-malware/issues/125)) -* https://samples.vx-underground.org/APTs/2020/2020.11.02/ ([#134](https://github.com/timb-machine/linux-malware/issues/134)) - [/malware/binaries/UNC1945](../../tree/main/malware/binaries/UNC1945), LightBasin, UNC1945, Solaris -* https://bazaar.abuse.ch/browse/signature/Gafgyt/ ([#128](https://github.com/timb-machine/linux-malware/issues/128)) - Gafgyt, [/malware/binaries/Unix.Trojan.Gafgyt](../../tree/main/malware/binaries/Unix.Trojan.Gafgyt) -* https://samples.vx-underground.org/samples/Families/VermilionStrike/ ([#136](https://github.com/timb-machine/linux-malware/issues/136)) - CobaltStrike, VermilionStrike, [/malware/binaries/VermilionStrike](../../tree/main/malware/binaries/VermilionStrike) -* https://bazaar.abuse.ch/sample/05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d/ ([#751](https://github.com/timb-machine/linux-malware/issues/751)) - Command and Control, Exfiltration, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, uses:Go, DeimosC2, [/malware/binaries/Unix.Backdoor.DeimosC2](../../../tree/main/malware/binaries/Unix.Backdoor.DeimosC2), Linux -* https://analyze.intezer.com/files/85e72976b9448295034a8d4c26462b8f1ebe1ca0a4e4b897c7f2404d0de948c2 ([#133](https://github.com/timb-machine/linux-malware/issues/133)) - WellMail, wltm, APT29 +* https://github.com/x0rz/EQGRP ([#138](https://github.com/timb-machine/linux-malware/issues/138)) * https://github.com/blackorbird/APT_REPORT ([#124](https://github.com/timb-machine/linux-malware/issues/124)) -* https://samples.vx-underground.org/samples/Families/Fastcash/ ([#135](https://github.com/timb-machine/linux-malware/issues/135)) - Impact, FastCash, [/malware/binaries/FastCash](../../tree/main/malware/binaries/FastCash), https://github.com/timb-machine/linux-malware/issues/312, https://github.com/timb-machine/linux-malware/issues/815, https://github.com/timb-machine/linux-malware/issues/407, HiddenCobra, Lazarus, APT38, AIX, Banking, Internal specialist services, Enclave deployment -* https://github.com/eset/malware-ioc/tree/master/rakos ([#132](https://github.com/timb-machine/linux-malware/issues/132)) - Rakos +* https://www.virustotal.com/gui/file/3b7a06c53ec0f2ce7b9de4cae9e6e765fd18dc1f2ff522c0ccd9c8c3f9e79532/detection ([#141](https://github.com/timb-machine/linux-malware/issues/141)) - Linikatz +* https://bazaar.abuse.ch/sample/05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d/ ([#751](https://github.com/timb-machine/linux-malware/issues/751)) - Command and Control, Exfiltration, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, uses:Go, DeimosC2, [/malware/binaries/Unix.Backdoor.DeimosC2](../../../tree/main/malware/binaries/Unix.Backdoor.DeimosC2), Linux +* https://github.com/AngelGuyu/spirit ([#757](https://github.com/timb-machine/linux-malware/issues/757)) - Persistence, Defense Evasion, Spirit, Gwisin, Linux * https://bazaar.abuse.ch/browse/tag/blackcat/ ([#512](https://github.com/timb-machine/linux-malware/issues/512)) - Impact, https://github.com/timb-machine/linux-malware/issues/118, https://github.com/timb-machine/linux-malware/issues/109, https://github.com/timb-machine/linux-malware/issues/108, https://github.com/timb-machine/linux-malware/issues/107, https://github.com/timb-machine/linux-malware/issues/41, BlackCat, [/malware/binaries/BlackCat](../../tree/main/malware/binaries/BlackCat), Linux -* https://github.com/Caprico1/kinsing ([#454](https://github.com/timb-machine/linux-malware/issues/454)) - Persistence, Impact, KinSing, Linux +* https://github.com/hardenedvault/bootkit-samples ([#103](https://github.com/timb-machine/linux-malware/issues/103)) +* https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ ([#662](https://github.com/timb-machine/linux-malware/issues/662)) - Persistence, Defense Evasion, attack:T1053.003:Cron, uses:Non-persistentStorage, uses:RedirectionToNull, https://github.com/timb-machine/linux-malware/issues/661, SystemBC, [/malware/binaries/SystemBC](../../tree/main/malware/binaries/SystemBC), Linux +* https://bazaar.abuse.ch/browse/tag/elf/ ([#122](https://github.com/timb-machine/linux-malware/issues/122)) * https://www.virustotal.com/gui/file/c69ee0f12a900adc654d93aef9ad23ea56bdfae8513e534e1a11dca6666d10aa/detection ([#126](https://github.com/timb-machine/linux-malware/issues/126)) - wltm -* https://github.com/tstromberg/malware-menagerie ([#795](https://github.com/timb-machine/linux-malware/issues/795)) - Impact, attack:T1496:Resource Hijacking, QubitStrike, StripedFly, Linux -* https://bazaar.abuse.ch/browse/signature/XorDDoS/ ([#129](https://github.com/timb-machine/linux-malware/issues/129)) - Initial Access, Credential Access, Impact, attack:T1078:Valid Accounts, attack:T1100:Brute Force, attack:T1498:Network Denial of Service, XorDDoS, [/malware/binaries/Unix.Trojan.Xorddos](../../tree/main/malware/binaries/Unix.Trojan.Xorddos), [/malware/binaries/Unix.Malware.Xorddos](../../tree/main/malware/binaries/Unix.Malware.Xorddos), Linux +* https://samples.vx-underground.org/samples/Families/VermilionStrike/ ([#136](https://github.com/timb-machine/linux-malware/issues/136)) - CobaltStrike, VermilionStrike, [/malware/binaries/VermilionStrike](../../tree/main/malware/binaries/VermilionStrike) * https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection ([#420](https://github.com/timb-machine/linux-malware/issues/420)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/421, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, [/malware/binaries/BPFDoor/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a.elf.sparc](../../blob/main/malware/binaries/BPFDoor/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a.elf.sparc), Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Solaris -* https://github.com/eset/malware-ioc/tree/master/kobalos ([#137](https://github.com/timb-machine/linux-malware/issues/137)) - Kobalos -* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection ([#418](https://github.com/timb-machine/linux-malware/issues/418)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/419, https://github.com/timb-machine/linux-malware/issues/424, https://github.com/timb-machine/linux-malware/issues/425, https://github.com/timb-machine/linux-malware/issues/426, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor client?, [/malware/binaries/BPFDoor/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c.elf.x86_64](../../blob/main/malware/binaries/BPFDoor/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c.elf.x86_64), Unix.Backdoor.RedMenshen, Tricephalic Hellkeeper, JustForFun, https://www.hybrid-analysis.com/sample/591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78, DecisiveArchitect, Linux -* https://bazaar.abuse.ch/browse/tag/Symbiote/ ([#460](https://github.com/timb-machine/linux-malware/issues/460)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/452, attack:T1205:Traffic Signaling, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1556.003:Pluggable Authentication Modules, attack:T1574.006:Dynamic Linker Hijacking, [/malware/binaries/Symbiote](../../tree/main/malware/binaries/Symbiote), Symbiote, Linux -* https://github.com/AngelGuyu/spirit ([#757](https://github.com/timb-machine/linux-malware/issues/757)) - Persistence, Defense Evasion, Spirit, Gwisin, Linux +* https://analyze.intezer.com/files/85e72976b9448295034a8d4c26462b8f1ebe1ca0a4e4b897c7f2404d0de948c2 ([#133](https://github.com/timb-machine/linux-malware/issues/133)) - WellMail, wltm, APT29 +* https://bazaar.abuse.ch/sample/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9/ ([#139](https://github.com/timb-machine/linux-malware/issues/139)) - Polaris, [/malware/binaries/Unix.Ransomware.Polaris/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9.elf.x86_64](../../blob/main/malware/binaries/Unix.Ransomware.Polaris/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9.elf.x86_64) +* https://samples.vx-underground.org/samples/Families/Fastcash/ ([#135](https://github.com/timb-machine/linux-malware/issues/135)) - Impact, FastCash, [/malware/binaries/FastCash](../../tree/main/malware/binaries/FastCash), https://github.com/timb-machine/linux-malware/issues/312, https://github.com/timb-machine/linux-malware/issues/815, https://github.com/timb-machine/linux-malware/issues/407, HiddenCobra, Lazarus, APT38, AIX, Banking, Internal specialist services, Enclave deployment +* https://bazaar.abuse.ch/browse/signature/XorDDoS/ ([#129](https://github.com/timb-machine/linux-malware/issues/129)) - Initial Access, Credential Access, Impact, attack:T1078:Valid Accounts, attack:T1100:Brute Force, attack:T1498:Network Denial of Service, XorDDoS, [/malware/binaries/Unix.Trojan.Xorddos](../../tree/main/malware/binaries/Unix.Trojan.Xorddos), [/malware/binaries/Unix.Malware.Xorddos](../../tree/main/malware/binaries/Unix.Malware.Xorddos), Linux +* https://bazaar.abuse.ch/browse/signature/Mirai/ ([#127](https://github.com/timb-machine/linux-malware/issues/127)) - Mirai, [/malware/binaries/Unix.Exploit.Mirai](../../tree/main/malware/binaries/Unix.Exploit.Mirai), [/malware/binaries/Unix.Dropper.Mirai](../../tree/main/malware/binaries/Unix.Dropper.Mirai), [/malware/binaries/Unix.Trojan.Mirai](../../tree/main/malware/binaries/Unix.Trojan.Mirai) +* https://samples.vx-underground.org/APTs/2021/2021.10.11/ ([#409](https://github.com/timb-machine/linux-malware/issues/409)) - FontOnLake, [/malware/binaries/FontOnLake](../../tree/main/malware/binaries/FontOnLake), Linux +* https://github.com/MalwareSamples/Linux-Malware-Samples ([#123](https://github.com/timb-machine/linux-malware/issues/123)) +* https://tria.ge/s?q=tag%3alinux ([#121](https://github.com/timb-machine/linux-malware/issues/121)) +* https://bazaar.abuse.ch/sample/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2/ ([#140](https://github.com/timb-machine/linux-malware/issues/140)) - SoWaT, [/malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips](../../blob/main/malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips), APT31, Zirconium +* https://samples.vx-underground.org/APTs/2020/2020.11.02/ ([#134](https://github.com/timb-machine/linux-malware/issues/134)) - [/malware/binaries/UNC1945](../../tree/main/malware/binaries/UNC1945), LightBasin, UNC1945, Solaris +* https://www.virustotal.com/gui/file/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2/detection ([#131](https://github.com/timb-machine/linux-malware/issues/131)) - SoWaT, [/malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips](../../blob/main/malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips), APT31, Zirconium +* https://github.com/tstromberg/malware-menagerie ([#795](https://github.com/timb-machine/linux-malware/issues/795)) - Impact, attack:T1496:Resource Hijacking, QubitStrike, StripedFly, Linux #### Malware source -* https://github.com/0x27/linux.mirai ([#142](https://github.com/timb-machine/linux-malware/issues/142)) - Mirai -* https://github.com/chokepoint/Jynx2 ([#531](https://github.com/timb-machine/linux-malware/issues/531)) - Persistence, Defense Evasion, Linux -* https://github.com/gianlucaborello/libprocesshider ([#776](https://github.com/timb-machine/linux-malware/issues/776)) - Defense Evasion, uses:ProcessTreeSpoofing, attack:T1574.006:Dynamic Linker Hijacking, libprocesshider, Linux +* https://pastebin.com/raw/kmmJuuQP ([#426](https://github.com/timb-machine/linux-malware/issues/426)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/418, DecisiveArchitect, Linux +* https://packetstormsecurity.com/files/31345/0x333shadow.tar.gz.html ([#706](https://github.com/timb-machine/linux-malware/issues/706)) - Defense Evasion, attack:T1070.002:Clear Linux or Mac System Logs, 0x333shadow Log Cleaner, Linux, Solaris, Freebsd, IRIX +* https://github.com/vxunderground/MalwareSourceCode/tree/main/Linux ([#143](https://github.com/timb-machine/linux-malware/issues/143)) +* https://github.com/arialdomartini/morris-worm ([#694](https://github.com/timb-machine/linux-malware/issues/694)) - Initial Access, Execution, Discovery, Lateral Movement +* https://github.com/chenkaie/junkcode/blob/master/xhide.c ([#775](https://github.com/timb-machine/linux-malware/issues/775)) - Defense Evasion, uses:ProcessTreeSpoofing, XHide, Linux * https://github.com/Kabot/mig-logcleaner-resurrected ([#154](https://github.com/timb-machine/linux-malware/issues/154)) - Defense Evasion, attack:T1070.002:Clear Linux or Mac System Logs, MIG Logcleaner, UNC2891, Linux, Solaris, BSD -* https://github.com/HeapAllocate/sterben ([#150](https://github.com/timb-machine/linux-malware/issues/150)) - sterben -* https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc ([#711](https://github.com/timb-machine/linux-malware/issues/711)) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, https://github.com/timb-machine/linux-malware/issues/710, https://github.com/timb-machine/linux-malware/issues/724, https://github.com/timb-machine/linux-malware/issues/814, Linux -* https://github.com/jwne/caffsec-malware-analysis/blob/master/mIRChack/pscan2.c ([#147](https://github.com/timb-machine/linux-malware/issues/147)) - pscan (similar code to luckscan) -* https://pastebin.com/jkndLHQf ([#145](https://github.com/timb-machine/linux-malware/issues/145)) - FinFisher -* https://github.com/0x27/sebd-0.2 ([#148](https://github.com/timb-machine/linux-malware/issues/148)) - sebd 0.2 source code (a fix of 0.1) * https://pastebin.com/kmmJuuQP ([#802](https://github.com/timb-machine/linux-malware/issues/802)) - Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, uses:Non-persistentStorage, uses:ProcessTreeSpoofing, BPFDoor, [/malware/binaries/BPFDoor](../../tree/main/malware/binaries/BPFDoor), Unix.Backdoor.RedMenshen, Linux +* https://pastebin.com/jkndLHQf ([#145](https://github.com/timb-machine/linux-malware/issues/145)) - FinFisher * https://gitlab.com/rav7teif/linux.wifatch ([#144](https://github.com/timb-machine/linux-malware/issues/144)) - Initial Access, Persistence, Command and Control, Lateral Movement, Linux.Wifatch -* https://github.com/shadow1ng/fscan ([#564](https://github.com/timb-machine/linux-malware/issues/564)) - Initial Access, Lateral Movement, uses:Go, Alchimist, fscan, [/malware/binaries/Alchimist/UPX/fscan](../../tree/main/malware/binaries/Alchimist/UPX/fscan), Linux +* https://github.com/chokepoint/Jynx2 ([#531](https://github.com/timb-machine/linux-malware/issues/531)) - Persistence, Defense Evasion, Linux +* https://github.com/0x27/sebd-0.2 ([#148](https://github.com/timb-machine/linux-malware/issues/148)) - sebd 0.2 source code (a fix of 0.1) +* https://github.com/gianlucaborello/libprocesshider ([#776](https://github.com/timb-machine/linux-malware/issues/776)) - Defense Evasion, uses:ProcessTreeSpoofing, attack:T1574.006:Dynamic Linker Hijacking, libprocesshider, Linux +* https://github.com/jwne/caffsec-malware-analysis/blob/master/mIRChack/pscan2.c ([#147](https://github.com/timb-machine/linux-malware/issues/147)) - pscan (similar code to luckscan) +* https://github.com/0x27/linux.mirai ([#142](https://github.com/timb-machine/linux-malware/issues/142)) - Mirai +* http://www.afn.org/~afn28925/wipe.c ([#153](https://github.com/timb-machine/linux-malware/issues/153)) - UNC2891 * https://packetstormsecurity.com/files/23336/Slx2k001.txt.html ([#152](https://github.com/timb-machine/linux-malware/issues/152)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, UNC2891 +* https://github.com/shadow1ng/fscan ([#564](https://github.com/timb-machine/linux-malware/issues/564)) - Initial Access, Lateral Movement, uses:Go, Alchimist, fscan, [/malware/binaries/Alchimist/UPX/fscan](../../tree/main/malware/binaries/Alchimist/UPX/fscan), Linux * https://github.com/isdrupter/ziggystartux ([#701](https://github.com/timb-machine/linux-malware/issues/701)) - Impact, Linux -* https://github.com/vxunderground/MalwareSourceCode/tree/main/Linux ([#143](https://github.com/timb-machine/linux-malware/issues/143)) -* https://github.com/arialdomartini/morris-worm ([#694](https://github.com/timb-machine/linux-malware/issues/694)) - Initial Access, Execution, Discovery, Lateral Movement -* http://www.afn.org/~afn28925/wipe.c ([#153](https://github.com/timb-machine/linux-malware/issues/153)) - UNC2891 -* https://pastebin.com/raw/kmmJuuQP ([#426](https://github.com/timb-machine/linux-malware/issues/426)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/418, DecisiveArchitect, Linux -* https://github.com/chenkaie/junkcode/blob/master/xhide.c ([#775](https://github.com/timb-machine/linux-malware/issues/775)) - Defense Evasion, uses:ProcessTreeSpoofing, XHide, Linux * https://github.com/NexusBots/Umbreon-Rootkit ([#149](https://github.com/timb-machine/linux-malware/issues/149)) - Umbreon Rootkit -* https://packetstormsecurity.com/files/31345/0x333shadow.tar.gz.html ([#706](https://github.com/timb-machine/linux-malware/issues/706)) - Defense Evasion, attack:T1070.002:Clear Linux or Mac System Logs, 0x333shadow Log Cleaner, Linux, Solaris, Freebsd, IRIX - -### Malware PoCs +* https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc ([#711](https://github.com/timb-machine/linux-malware/issues/711)) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, https://github.com/timb-machine/linux-malware/issues/710, https://github.com/timb-machine/linux-malware/issues/724, https://github.com/timb-machine/linux-malware/issues/814, Linux +* https://github.com/HeapAllocate/sterben ([#150](https://github.com/timb-machine/linux-malware/issues/150)) - sterben -* https://github.com/chokepoint/azazel ([#191](https://github.com/timb-machine/linux-malware/issues/191)) -* https://github.com/h3xduck/TripleCross ([#465](https://github.com/timb-machine/linux-malware/issues/465)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, Linux -* https://www.guitmz.com/linux-nasty-elf-virus/ ([#642](https://github.com/timb-machine/linux-malware/issues/642)) - Persistence, attack:T1577:Compromise Application Executable, attack:T1057:Process Discovery, attack:T1083:File and Directory Discovery, Linux -* https://github.com/elfmaster/saruman ([#220](https://github.com/timb-machine/linux-malware/issues/220)) -* https://github.com/guitmz/midrashim ([#664](https://github.com/timb-machine/linux-malware/issues/664)) - Persistence, attack:T1577:Compromise Application Executable, Linux -* https://packetstormsecurity.com/files/22121/cd00r.c.html ([#597](https://github.com/timb-machine/linux-malware/issues/597)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, cd00r, Linux +### Malware PoCs + +* https://github.com/timb-machine-mirrors/phath0m-JadedWraith ([#165](https://github.com/timb-machine/linux-malware/issues/165)) +* https://github.com/mufeedvh/moonwalk ([#208](https://github.com/timb-machine/linux-malware/issues/208)) * https://github.com/m1m1x/memdlopen ([#175](https://github.com/timb-machine/linux-malware/issues/175)) - Defense Evasion, attack:T1620:Reflective Code Loading -* https://github.com/QuokkaLight/rkduck ([#667](https://github.com/timb-machine/linux-malware/issues/667)) - Persistence, Defense Evasion, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1056.001:Keylogging, attack:T1564.001:Hidden Files and Directories, attack:T1021.004:SSH, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, Linux -* https://github.com/tarcisio-marinho/GonnaCry ([#486](https://github.com/timb-machine/linux-malware/issues/486)) - Impact, Linux -* https://github.com/io-tl/degu-lib ([#413](https://github.com/timb-machine/linux-malware/issues/413)) - Linux -* https://github.com/citronneur/pamspy ([#466](https://github.com/timb-machine/linux-malware/issues/466)) - Persistence, Defense Evasion, Credential Access, attack:T1205.002:Socket Filters, attack:T1556.003:Pluggable Authentication Modules, Linux -* https://github.com/jermeyyy/rooty ([#440](https://github.com/timb-machine/linux-malware/issues/440)) - Persistence, Defense Evasion, https://github.com/timb-machine/linux-malware/issues/439, attack:T1547.006:Kernel Modules and Extensions, XorDDoS, Linux, Consumer, Cloud hosted services, Device application sandboxing -* https://github.com/timb-machine-mirrors/ripmeep-memory-injector ([#160](https://github.com/timb-machine/linux-malware/issues/160)) -* https://github.com/stealth/devpops ([#192](https://github.com/timb-machine/linux-malware/issues/192)) - DevPops by stealth (not really malicious, has guard rails) -* https://github.com/alexander-pick/apinject ([#608](https://github.com/timb-machine/linux-malware/issues/608)) - Defense Evasion, attack:hT1055.008:Ptrace System Calls, Linux +* https://github.com/elfmaster/saruman ([#220](https://github.com/timb-machine/linux-malware/issues/220)) +* https://github.com/airman604/jdbc-backdoor ([#607](https://github.com/timb-machine/linux-malware/issues/607)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1574.002:DLL Side-Loading, Linux, Internal enterprise services, Internal specialist services * https://github.com/ixty/mandibule ([#170](https://github.com/timb-machine/linux-malware/issues/170)) -* https://github.com/compilepeace/KAAL_BHAIRAV ([#202](https://github.com/timb-machine/linux-malware/issues/202)) -* https://github.com/mufeedvh/moonwalk ([#208](https://github.com/timb-machine/linux-malware/issues/208)) -* https://github.com/elfmaster/dt_infect ([#219](https://github.com/timb-machine/linux-malware/issues/219)) -* https://github.com/guitmz/go-liora ([#663](https://github.com/timb-machine/linux-malware/issues/663)) - Persistence, uses:Go, attack:T1577:Compromise Application Executable, Linux -* https://github.com/croemheld/lkm-rootkit ([#628](https://github.com/timb-machine/linux-malware/issues/628)) - Persistence, Defense Evasion, Privilege Escalation, Exfiltration, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1548:Abuse Elevation Control Mechanism, attack:T1205.001:Port Knocking, attack:T1095:Non-Application Layer Protocol, attack:T1020:Automated Exfiltration, attack:T1048.003:Exfiltration Over Unencrypted Non-C2 Protocol, attack:T1056.001:Keylogging, Linux +* https://github.com/therealdreg/enyelkm ([#456](https://github.com/timb-machine/linux-malware/issues/456)) - Persistence, Defense Evasion, Linux +* https://github.com/trustedsec/ELFLoader ([#416](https://github.com/timb-machine/linux-malware/issues/416)) - Defense Evasion, attack:T1620:Reflective Code Loading, attack:T1027:Obfuscated Files or Information, Linux, Solaris, Cloud hosted services, Internal enterprise services, Internal specialist services, Enterprise with public/Customer-facing services, Device application sandboxing +* https://github.com/toffan/binfmt_misc ([#431](https://github.com/timb-machine/linux-malware/issues/431)) - Persistence, Privilege Escalation, Defense Evasion, Linux, Device application sandboxing +* https://github.com/nurupo/rootkit ([#172](https://github.com/timb-machine/linux-malware/issues/172)) +* https://github.com/elfmaster/kprobe_rootkit ([#223](https://github.com/timb-machine/linux-malware/issues/223)) +* https://github.com/reveng007/reveng_rtkit ([#669](https://github.com/timb-machine/linux-malware/issues/669)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attacK:T1548:Abuse Elevation Control Mechanism, Linux +* https://github.com/SafeBreach-Labs/backdoros ([#213](https://github.com/timb-machine/linux-malware/issues/213)) +* https://github.com/codewhitesec/daphne ([#740](https://github.com/timb-machine/linux-malware/issues/740)) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, uses:Auditd, Linux +* https://github.com/yaoyumeng/adore-ng ([#458](https://github.com/timb-machine/linux-malware/issues/458)) - Persistence, Defense Evasion, Linux +* https://github.com/aviat/passe-partout ([#704](https://github.com/timb-machine/linux-malware/issues/704)) - Credential Access, attack:T1649:Steal or Forge Authentication Certificates, attack:T1563.001:SSH Hijacking, Linux, AIX, Solaris, HP-UX +* https://github.com/jermeyyy/rooty ([#440](https://github.com/timb-machine/linux-malware/issues/440)) - Persistence, Defense Evasion, https://github.com/timb-machine/linux-malware/issues/439, attack:T1547.006:Kernel Modules and Extensions, XorDDoS, Linux, Consumer, Cloud hosted services, Device application sandboxing +* https://github.com/blendin/3snake ([#189](https://github.com/timb-machine/linux-malware/issues/189)) +* https://github.com/vfsfitvnm/intruducer ([#209](https://github.com/timb-machine/linux-malware/issues/209)) +* https://github.com/gaffe23/linux-inject ([#210](https://github.com/timb-machine/linux-malware/issues/210)) +* https://github.com/fbkcs/msf-elf-in-memory-execution ([#203](https://github.com/timb-machine/linux-malware/issues/203)) +* https://github.com/R3tr074/brokepkg ([#777](https://github.com/timb-machine/linux-malware/issues/777)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, uses:ProcessTreeSpoofing, uses:AbnormalSignal, uses:TamperCredStruct, uses:PortHiding, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1573:Encrypted Channel, attack:T1205:Traffic Signaling, BrokePkg, Linux +* https://github.com/MegaManSec/SSH-Snake ([#791](https://github.com/timb-machine/linux-malware/issues/791)) - Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services +* https://github.com/arget13/DDexec ([#222](https://github.com/timb-machine/linux-malware/issues/222)) * https://github.com/roddux/santa ([#207](https://github.com/timb-machine/linux-malware/issues/207)) +* https://github.com/compilepeace/KAAL_BHAIRAV ([#202](https://github.com/timb-machine/linux-malware/issues/202)) +* https://github.com/X-C3LL/memdlopen-lib ([#605](https://github.com/timb-machine/linux-malware/issues/605)) - Defense Evasion, attack:T1620:Reflective Code Loading, Linux +* https://github.com/mncoppola/suterusu ([#491](https://github.com/timb-machine/linux-malware/issues/491)) - Persistence, Defense Evasion, wltm, Linux +* https://github.com/h3xduck/TripleCross ([#465](https://github.com/timb-machine/linux-malware/issues/465)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, Linux +* https://github.com/guitmz/midrashim ([#664](https://github.com/timb-machine/linux-malware/issues/664)) - Persistence, attack:T1577:Compromise Application Executable, Linux * https://github.com/wunderwuzzi23/Offensive-BPF ([#469](https://github.com/timb-machine/linux-malware/issues/469)) - Credential Access, attack:T1205.002:Socket Filters, Linux -* https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/ ([#739](https://github.com/timb-machine/linux-malware/issues/739)) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, https://github.com/timb-machine/linux-malware/issues/734, https://github.com/timb-machine/linux-malware/issues/740, Linux -* https://github.com/Gui774ume/ebpfkit ([#151](https://github.com/timb-machine/linux-malware/issues/151)) - Discovery, Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, ebpfkit, Linux -* https://github.com/jtripper/parasite ([#169](https://github.com/timb-machine/linux-malware/issues/169)) -* https://github.com/liamg/memit ([#200](https://github.com/timb-machine/linux-malware/issues/200)) -* https://github.com/fbkcs/msf-elf-in-memory-execution ([#203](https://github.com/timb-machine/linux-malware/issues/203)) * https://github.com/SilentVoid13/Silent_Packer ([#783](https://github.com/timb-machine/linux-malware/issues/783)) - Defense Evasion, attack:T1027.002:Software Packing, Linux -* https://github.com/schrodyn/bad_UDP ([#453](https://github.com/timb-machine/linux-malware/issues/453)) - Linux +* https://github.com/zephrax/linux-pam-backdoor ([#181](https://github.com/timb-machine/linux-malware/issues/181)) - Credential Access, Persistence, Defense Evasion, attack:T1556.003:Pluggable Authentication Modules, Linux +* https://github.com/chokepoint/azazel ([#191](https://github.com/timb-machine/linux-malware/issues/191)) +* https://packetstormsecurity.com/files/author/3859/ ([#553](https://github.com/timb-machine/linux-malware/issues/553)) - Persistence, Defense Evasion, uses:DTrace, SInAR, [/malware/pocs/SInAR](../../tree/main/malware/pocs/SInAR), Archim, Solaris, Internal specialist services, Device application sandboxing +* https://github.com/guitmz/go-liora ([#663](https://github.com/timb-machine/linux-malware/issues/663)) - Persistence, uses:Go, attack:T1577:Compromise Application Executable, Linux +* https://github.com/stealth/devpops ([#192](https://github.com/timb-machine/linux-malware/issues/192)) - DevPops by stealth (not really malicious, has guard rails) * https://github.com/timb-machine-mirrors/sar5430-coolkid ([#629](https://github.com/timb-machine/linux-malware/issues/629)) - Persistence, Defense Evasion, Linux -* https://github.com/elfmaster/skeksi_virus ([#224](https://github.com/timb-machine/linux-malware/issues/224)) +* https://packetstormsecurity.com/files/22121/cd00r.c.html ([#597](https://github.com/timb-machine/linux-malware/issues/597)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, cd00r, Linux +* https://github.com/elfmaster/dt_infect ([#219](https://github.com/timb-machine/linux-malware/issues/219)) * https://github.com/f0rb1dd3n/Reptile ([#171](https://github.com/timb-machine/linux-malware/issues/171)) -* https://github.com/X-C3LL/memdlopen-lib ([#605](https://github.com/timb-machine/linux-malware/issues/605)) - Defense Evasion, attack:T1620:Reflective Code Loading, Linux -* https://github.com/codewhitesec/daphne ([#740](https://github.com/timb-machine/linux-malware/issues/740)) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, uses:Auditd, Linux -* https://github.com/sad0p/d0zer ([#782](https://github.com/timb-machine/linux-malware/issues/782)) - Execution, Persistence, uses:Go, attack:T1625:Hijack Execution Flow, attack:T1204:Malicious File, Linux -* https://github.com/yaoyumeng/adore-ng ([#458](https://github.com/timb-machine/linux-malware/issues/458)) - Persistence, Defense Evasion, Linux -* https://github.com/elfmaster/kprobe_rootkit ([#223](https://github.com/timb-machine/linux-malware/issues/223)) -* https://github.com/R3tr074/brokepkg ([#777](https://github.com/timb-machine/linux-malware/issues/777)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, uses:ProcessTreeSpoofing, uses:AbnormalSignal, uses:TamperCredStruct, uses:PortHiding, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1573:Encrypted Channel, attack:T1205:Traffic Signaling, BrokePkg, Linux -* https://github.com/nnsee/fileless-elf-exec ([#193](https://github.com/timb-machine/linux-malware/issues/193)) - Defense Evasion, attack:T1620:Reflective Code Loading -* https://github.com/Eterna1/puszek-rootkit ([#670](https://github.com/timb-machine/linux-malware/issues/670)) - Persistence, Defense Evasion, Credential Access, Discovery, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1040:Network Sniffing, Linux -* https://github.com/elfmaster/linker_preloading_virus ([#211](https://github.com/timb-machine/linux-malware/issues/211)) +* https://gist.github.com/zznop/0117c24164ee715e750150633c7c1782 ([#198](https://github.com/timb-machine/linux-malware/issues/198)) * https://hckng.org/articles/perljam-elf64-virus.html ([#735](https://github.com/timb-machine/linux-malware/issues/735)) - Persistence, attack:T1554:Compromise Client Software Binary, attack:T1505:Server Software Component, uses:Perl, Linux, AIX, Solaris, HP-UX -* https://github.com/timb-machine-mirrors/phath0m-JadedWraith ([#165](https://github.com/timb-machine/linux-malware/issues/165)) -* https://github.com/arget13/DDexec ([#222](https://github.com/timb-machine/linux-malware/issues/222)) +* https://github.com/Gui774ume/ebpfkit ([#151](https://github.com/timb-machine/linux-malware/issues/151)) - Discovery, Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, ebpfkit, Linux * https://github.com/noptrix/fbkit ([#684](https://github.com/timb-machine/linux-malware/issues/684)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1205.002:Socket Filters, attack:T1548.001:Setuid and Setgid, FreeBSD -* https://github.com/airman604/jdbc-backdoor ([#607](https://github.com/timb-machine/linux-malware/issues/607)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1574.002:DLL Side-Loading, Linux, Internal enterprise services, Internal specialist services -* https://github.com/blendin/3snake ([#189](https://github.com/timb-machine/linux-malware/issues/189)) +* https://github.com/ONsec-Lab/scripts/tree/master/pam_steal ([#195](https://github.com/timb-machine/linux-malware/issues/195)) +* https://github.com/mempodippy/vlany ([#174](https://github.com/timb-machine/linux-malware/issues/174)) +* https://github.com/sad0p/d0zer ([#782](https://github.com/timb-machine/linux-malware/issues/782)) - Execution, Persistence, uses:Go, attack:T1625:Hijack Execution Flow, attack:T1204:Malicious File, Linux * https://github.com/codewhitesec/apollon ([#734](https://github.com/timb-machine/linux-malware/issues/734)) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, uses:Auditd, Linux -* https://github.com/0x1CA3/parasite ([#201](https://github.com/timb-machine/linux-malware/issues/201)) - wltm -* https://github.com/nurupo/rootkit ([#172](https://github.com/timb-machine/linux-malware/issues/172)) -* https://github.com/reveng007/reveng_rtkit ([#669](https://github.com/timb-machine/linux-malware/issues/669)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attacK:T1548:Abuse Elevation Control Mechanism, Linux -* https://github.com/vfsfitvnm/intruducer ([#209](https://github.com/timb-machine/linux-malware/issues/209)) -* https://github.com/mav8557/Father ([#606](https://github.com/timb-machine/linux-malware/issues/606)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1574.006:Dynamic Linker Hijacking, Linux -* https://github.com/m0nad/Diamorphine ([#217](https://github.com/timb-machine/linux-malware/issues/217)) - Persistence, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, Diamorphine, Linux * https://github.com/EvelynSubarrow/IridiumScorpion ([#183](https://github.com/timb-machine/linux-malware/issues/183)) -* https://github.com/trustedsec/ELFLoader ([#416](https://github.com/timb-machine/linux-malware/issues/416)) - Defense Evasion, attack:T1620:Reflective Code Loading, attack:T1027:Obfuscated Files or Information, Linux, Solaris, Cloud hosted services, Internal enterprise services, Internal specialist services, Enterprise with public/Customer-facing services, Device application sandboxing -* https://github.com/kris-nova/boopkit ([#221](https://github.com/timb-machine/linux-malware/issues/221)) +* https://github.com/nnsee/fileless-elf-exec ([#193](https://github.com/timb-machine/linux-malware/issues/193)) - Defense Evasion, attack:T1620:Reflective Code Loading +* https://github.com/mav8557/Father ([#606](https://github.com/timb-machine/linux-malware/issues/606)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1574.006:Dynamic Linker Hijacking, Linux +* https://github.com/Eterna1/puszek-rootkit ([#670](https://github.com/timb-machine/linux-malware/issues/670)) - Persistence, Defense Evasion, Credential Access, Discovery, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1040:Network Sniffing, Linux +* https://github.com/timb-machine-mirrors/ripmeep-memory-injector ([#160](https://github.com/timb-machine/linux-malware/issues/160)) +* https://www.guitmz.com/linux-nasty-elf-virus/ ([#642](https://github.com/timb-machine/linux-malware/issues/642)) - Persistence, attack:T1577:Compromise Application Executable, attack:T1057:Process Discovery, attack:T1083:File and Directory Discovery, Linux +* https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/ ([#739](https://github.com/timb-machine/linux-malware/issues/739)) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, https://github.com/timb-machine/linux-malware/issues/734, https://github.com/timb-machine/linux-malware/issues/740, Linux * https://github.com/h3xduck/Umbra ([#668](https://github.com/timb-machine/linux-malware/issues/668)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1095:Non-Application Layer Protocol, attack:T1486:Data Encrypted for Impact, attacK:T1548:Abuse Elevation Control Mechanism, Linux -* https://github.com/EvelynSubarrow/BismuthScorpion ([#182](https://github.com/timb-machine/linux-malware/issues/182)) -* https://github.com/zephrax/linux-pam-backdoor ([#181](https://github.com/timb-machine/linux-malware/issues/181)) - Credential Access, Persistence, Defense Evasion, attack:T1556.003:Pluggable Authentication Modules, Linux -* https://github.com/therealdreg/enyelkm ([#456](https://github.com/timb-machine/linux-malware/issues/456)) - Persistence, Defense Evasion, Linux -* https://gist.github.com/zznop/0117c24164ee715e750150633c7c1782 ([#198](https://github.com/timb-machine/linux-malware/issues/198)) -* https://github.com/toffan/binfmt_misc ([#431](https://github.com/timb-machine/linux-malware/issues/431)) - Persistence, Privilege Escalation, Defense Evasion, Linux, Device application sandboxing -* https://packetstormsecurity.com/files/author/3859/ ([#553](https://github.com/timb-machine/linux-malware/issues/553)) - Persistence, Defense Evasion, uses:DTrace, SInAR, [/malware/pocs/SInAR](../../tree/main/malware/pocs/SInAR), Archim, Solaris, Internal specialist services, Device application sandboxing -* https://github.com/aviat/passe-partout ([#704](https://github.com/timb-machine/linux-malware/issues/704)) - Credential Access, attack:T1649:Steal or Forge Authentication Certificates, attack:T1563.001:SSH Hijacking, Linux, AIX, Solaris, HP-UX -* https://github.com/SafeBreach-Labs/backdoros ([#213](https://github.com/timb-machine/linux-malware/issues/213)) -* https://github.com/mncoppola/suterusu ([#491](https://github.com/timb-machine/linux-malware/issues/491)) - Persistence, Defense Evasion, wltm, Linux +* https://github.com/croemheld/lkm-rootkit ([#628](https://github.com/timb-machine/linux-malware/issues/628)) - Persistence, Defense Evasion, Privilege Escalation, Exfiltration, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1548:Abuse Elevation Control Mechanism, attack:T1205.001:Port Knocking, attack:T1095:Non-Application Layer Protocol, attack:T1020:Automated Exfiltration, attack:T1048.003:Exfiltration Over Unencrypted Non-C2 Protocol, attack:T1056.001:Keylogging, Linux * https://github.com/rek7/fireELF ([#159](https://github.com/timb-machine/linux-malware/issues/159)) -* https://github.com/gaffe23/linux-inject ([#210](https://github.com/timb-machine/linux-malware/issues/210)) -* https://github.com/ONsec-Lab/scripts/tree/master/pam_steal ([#195](https://github.com/timb-machine/linux-malware/issues/195)) -* https://github.com/mempodippy/vlany ([#174](https://github.com/timb-machine/linux-malware/issues/174)) -* https://github.com/MegaManSec/SSH-Snake ([#791](https://github.com/timb-machine/linux-malware/issues/791)) - Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services +* https://github.com/schrodyn/bad_UDP ([#453](https://github.com/timb-machine/linux-malware/issues/453)) - Linux +* https://github.com/QuokkaLight/rkduck ([#667](https://github.com/timb-machine/linux-malware/issues/667)) - Persistence, Defense Evasion, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1056.001:Keylogging, attack:T1564.001:Hidden Files and Directories, attack:T1021.004:SSH, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, Linux +* https://github.com/citronneur/pamspy ([#466](https://github.com/timb-machine/linux-malware/issues/466)) - Persistence, Defense Evasion, Credential Access, attack:T1205.002:Socket Filters, attack:T1556.003:Pluggable Authentication Modules, Linux +* https://github.com/EvelynSubarrow/BismuthScorpion ([#182](https://github.com/timb-machine/linux-malware/issues/182)) +* https://github.com/liamg/memit ([#200](https://github.com/timb-machine/linux-malware/issues/200)) +* https://github.com/io-tl/degu-lib ([#413](https://github.com/timb-machine/linux-malware/issues/413)) - Linux +* https://github.com/elfmaster/linker_preloading_virus ([#211](https://github.com/timb-machine/linux-malware/issues/211)) +* https://github.com/0x1CA3/parasite ([#201](https://github.com/timb-machine/linux-malware/issues/201)) - wltm +* https://github.com/kris-nova/boopkit ([#221](https://github.com/timb-machine/linux-malware/issues/221)) +* https://github.com/tarcisio-marinho/GonnaCry ([#486](https://github.com/timb-machine/linux-malware/issues/486)) - Impact, Linux +* https://github.com/jtripper/parasite ([#169](https://github.com/timb-machine/linux-malware/issues/169)) +* https://github.com/alexander-pick/apinject ([#608](https://github.com/timb-machine/linux-malware/issues/608)) - Defense Evasion, attack:hT1055.008:Ptrace System Calls, Linux +* https://github.com/m0nad/Diamorphine ([#217](https://github.com/timb-machine/linux-malware/issues/217)) - Persistence, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, Diamorphine, Linux +* https://github.com/elfmaster/skeksi_virus ([#224](https://github.com/timb-machine/linux-malware/issues/224)) ## Offensive research @@ -564,270 +564,270 @@ Not necessarily malicious code (see Linikatz and unix-privesc-check =)) but inte ### Offensive tools -* https://github.com/milabs/khook ([#212](https://github.com/timb-machine/linux-malware/issues/212)) -* https://github.com/rebootuser/LinEnum ([#158](https://github.com/timb-machine/linux-malware/issues/158)) -* https://github.com/io-tl/Mara ([#487](https://github.com/timb-machine/linux-malware/issues/487)) - Linux -* https://github.com/Frissi0n/GTFONow ([#771](https://github.com/timb-machine/linux-malware/issues/771)) - Privilege Escalation, attack:T1548:Abuse Elevation Control Mechanism, Linux -* https://github.com/JonathonReinhart/nosecmem ([#180](https://github.com/timb-machine/linux-malware/issues/180)) -* https://github.com/pmorjan/kmod ([#654](https://github.com/timb-machine/linux-malware/issues/654)) - Persistence, Privilege Escalation, uses:Go, attack:T1547.006:Kernel Modules and Extensions, Linux -* https://github.com/redcode-labs/Bashark ([#168](https://github.com/timb-machine/linux-malware/issues/168)) -* https://github.com/elfmaster/maya ([#504](https://github.com/timb-machine/linux-malware/issues/504)) - Defense Evasion, Linux, Device application sandboxing -* https://github.com/willshiao/node-bash-obfuscate ([#190](https://github.com/timb-machine/linux-malware/issues/190)) -* https://github.com/fireeye/SSSDKCMExtractor ([#520](https://github.com/timb-machine/linux-malware/issues/520)) - attack:T1558:Steal or Forge Kerberos Tickets, Linux, Internal enterprise services, Enhanced identity governance -* https://github.com/DavidBuchanan314/dlinject ([#485](https://github.com/timb-machine/linux-malware/issues/485)) - Linux -* https://github.com/vbpf/ebpf-samples ([#215](https://github.com/timb-machine/linux-malware/issues/215)) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1620:Reflective Code Loading, Device application sandboxing -* https://github.com/DeimosC2/DeimosC2 ([#652](https://github.com/timb-machine/linux-malware/issues/652)) - Command and Control, Exfiltration, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, uses:Go, DeimosC2, [/malware/binaries/Unix.Backdoor.DeimosC2](../../../tree/main/malware/binaries/Unix.Backdoor.DeimosC2), Linux -* https://github.com/mnagel/gnome-keyring-dumper ([#186](https://github.com/timb-machine/linux-malware/issues/186)) -* https://github.com/TarlogicSecurity/tickey ([#184](https://github.com/timb-machine/linux-malware/issues/184)) -* https://github.com/NixOS/patchelf ([#443](https://github.com/timb-machine/linux-malware/issues/443)) - Persistence, attack:T1574.006:Dynamic Linker Hijacking, Linux, Device application sandboxing -* https://github.com/timb-machine-mirrors/adamcaudill-EquationGroupLeak/tree/master/Linux ([#173](https://github.com/timb-machine/linux-malware/issues/173)) -* https://github.com/89luca89/pakkero ([#718](https://github.com/timb-machine/linux-malware/issues/718)) - Defense Evasion, attack:T1027.002:Software Packing, Linux * https://github.com/dsnezhkov/zombieant ([#793](https://github.com/timb-machine/linux-malware/issues/793)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1562:Impair Defenses, attack:T1574.006:Dynamic Linker Hijacking, Linux -* https://github.com/pathtofile/bad-bpf ([#205](https://github.com/timb-machine/linux-malware/issues/205)) - uses:BPF -* https://github.com/netifera/netifera ([#194](https://github.com/timb-machine/linux-malware/issues/194)) -* https://github.com/AlessandroZ/LaZagne ([#155](https://github.com/timb-machine/linux-malware/issues/155)) -* https://github.com/ropnop/kerbrute ([#176](https://github.com/timb-machine/linux-malware/issues/176)) -* https://github.com/ropnop/windapsearch ([#177](https://github.com/timb-machine/linux-malware/issues/177)) -* https://github.com/DavidBuchanan314/stelf-loader ([#738](https://github.com/timb-machine/linux-malware/issues/738)) - Execution, Defense Evasion, uses:ProcessTreeSpoofing, uses:Non-persistentStorage, Linux -* https://github.com/liamg/traitor ([#687](https://github.com/timb-machine/linux-malware/issues/687)) - Privilege Escalation, Linux * https://github.com/Idov31/Sandman ([#582](https://github.com/timb-machine/linux-malware/issues/582)) - Persistence, Command and Control, Linux -* https://github.com/stealth/injectso ([#589](https://github.com/timb-machine/linux-malware/issues/589)) - Defense Evasion, Linux -* https://gtfobins.github.io/ ([#179](https://github.com/timb-machine/linux-malware/issues/179)) -* https://github.com/nicocha30/ligolo-ng ([#699](https://github.com/timb-machine/linux-malware/issues/699)) - Command and Control, Exfiltration, Linux -* https://github.com/controlplaneio/truffleproc ([#537](https://github.com/timb-machine/linux-malware/issues/537)) - Privilege Escalation, Credential Access, Linux -* https://github.com/CiscoCXSecurity/enum4linux ([#178](https://github.com/timb-machine/linux-malware/issues/178)) -* https://github.com/creaktive/tsh ([#481](https://github.com/timb-machine/linux-malware/issues/481)) - TSH, TINYSHELL, APT31, UNC2891, LightBasin, Linux -* https://github.com/namazso/linux_injector ([#599](https://github.com/timb-machine/linux-malware/issues/599)) - Persistence, attack:T1574.006:Dynamic Linker Hijacking, Linux * https://github.com/SkyperTHC/bpf-keylogger ([#781](https://github.com/timb-machine/linux-malware/issues/781)) - Credential Access, Collection, uses:eBPF, attack:T1417.001:Keylogging, Linux -* https://github.com/huntergregal/mimipenguin ([#185](https://github.com/timb-machine/linux-malware/issues/185)) -* https://packetstormsecurity.com/files/download/23045/statdx-scan.tar.gz ([#146](https://github.com/timb-machine/linux-malware/issues/146)) - Reconnaissance, pscan (similar code to luckscan) +* https://github.com/liamg/traitor ([#687](https://github.com/timb-machine/linux-malware/issues/687)) - Privilege Escalation, Linux +* https://github.com/aojea/netkat ([#464](https://github.com/timb-machine/linux-malware/issues/464)) - Lateral Movement, Command and Control, attack:T1205.002:Socket Filters, Linux +* https://github.com/airbus-seclab/nbutools ([#689](https://github.com/timb-machine/linux-malware/issues/689)) - Discovery, Collection, Linux, AIX, Solaris, HP-UX, Banking, CNI, Telecomms, Internal enterprise services +* https://github.com/FiloSottile/age ([#166](https://github.com/timb-machine/linux-malware/issues/166)) +* https://github.com/namazso/linux_injector ([#599](https://github.com/timb-machine/linux-malware/issues/599)) - Persistence, attack:T1574.006:Dynamic Linker Hijacking, Linux * https://github.com/sosdave/KeyTabExtract ([#206](https://github.com/timb-machine/linux-malware/issues/206)) -* https://github.com/TH3xACE/SUDO_KILLER ([#162](https://github.com/timb-machine/linux-malware/issues/162)) - Privilege Escalation -* https://github.com/ciscocxsecurity/unix-privesc-check ([#157](https://github.com/timb-machine/linux-malware/issues/157)) - Privilege Escalation +* https://github.com/CiscoCXSecurity/linikatz ([#156](https://github.com/timb-machine/linux-malware/issues/156)) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets, https://github.com/timb-machine/linux-malware/issues/141 +* https://github.com/liamg/siphon ([#576](https://github.com/timb-machine/linux-malware/issues/576)) - Discovery, Collection, Linux +* https://github.com/zMarch/Orc ([#161](https://github.com/timb-machine/linux-malware/issues/161)) +* https://github.com/CiscoCXSecurity/enum4linux ([#178](https://github.com/timb-machine/linux-malware/issues/178)) +* https://github.com/huntergregal/mimipenguin ([#185](https://github.com/timb-machine/linux-malware/issues/185)) +* https://github.com/NixOS/patchelf ([#443](https://github.com/timb-machine/linux-malware/issues/443)) - Persistence, attack:T1574.006:Dynamic Linker Hijacking, Linux, Device application sandboxing +* https://github.com/timb-machine-mirrors/adamcaudill-EquationGroupLeak/tree/master/Linux ([#173](https://github.com/timb-machine/linux-malware/issues/173)) +* https://github.com/t3l3machus/Villain ([#591](https://github.com/timb-machine/linux-malware/issues/591)) - Command and Control, Linux +* https://github.com/controlplaneio/truffleproc ([#537](https://github.com/timb-machine/linux-malware/issues/537)) - Privilege Escalation, Credential Access, Linux +* https://github.com/eeriedusk/nysm ([#761](https://github.com/timb-machine/linux-malware/issues/761)) - Persistence, Linux * https://research.nccgroup.com/2022/01/08/tool-release-insject-a-linux-namespace-injector/ ([#585](https://github.com/timb-machine/linux-malware/issues/585)) - Execution, Persistence, Linux, Cloud hosted services -* https://github.com/sevagas/swap_digger ([#515](https://github.com/timb-machine/linux-malware/issues/515)) - Credential Access, Linux -* https://vulners.com/metasploit/MSF:POST/LINUX/GATHER/GNOME_KEYRING_DUMP/ ([#188](https://github.com/timb-machine/linux-malware/issues/188)) +* https://github.com/DavidBuchanan314/dlinject ([#485](https://github.com/timb-machine/linux-malware/issues/485)) - Linux +* https://github.com/Frissi0n/GTFONow ([#771](https://github.com/timb-machine/linux-malware/issues/771)) - Privilege Escalation, attack:T1548:Abuse Elevation Control Mechanism, Linux +* https://github.com/io-tl/Mara ([#487](https://github.com/timb-machine/linux-malware/issues/487)) - Linux +* https://github.com/NetDirect/nfsshell ([#164](https://github.com/timb-machine/linux-malware/issues/164)) +* https://github.com/stealth/injectso ([#589](https://github.com/timb-machine/linux-malware/issues/589)) - Defense Evasion, Linux +* https://github.com/Ne0nd0g/merlin ([#545](https://github.com/timb-machine/linux-malware/issues/545)) - Command and Control, Exfiltration, uses:Go, Merlin, Linux * https://github.com/blacklanternsecurity/KCMTicketFormatter ([#519](https://github.com/timb-machine/linux-malware/issues/519)) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets, Linux, Internal enterprise services, Enhanced identity governance +* https://github.com/DeimosC2/DeimosC2 ([#652](https://github.com/timb-machine/linux-malware/issues/652)) - Command and Control, Exfiltration, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, uses:Go, DeimosC2, [/malware/binaries/Unix.Backdoor.DeimosC2](../../../tree/main/malware/binaries/Unix.Backdoor.DeimosC2), Linux +* https://chromium.googlesource.com/linux-syscall-support/ ([#533](https://github.com/timb-machine/linux-malware/issues/533)) - Linux +* https://github.com/hackerschoice/ssh-key-backdoor ([#672](https://github.com/timb-machine/linux-malware/issues/672)) - Persistence, Defense Evasion, Linux, AIX, Solaris, HP-UX +* https://github.com/TH3xACE/SUDO_KILLER ([#162](https://github.com/timb-machine/linux-malware/issues/162)) - Privilege Escalation +* https://github.com/TarlogicSecurity/tickey ([#184](https://github.com/timb-machine/linux-malware/issues/184)) +* https://github.com/milabs/khook ([#212](https://github.com/timb-machine/linux-malware/issues/212)) +* https://github.com/IvanGlinkin/AutoSUID ([#204](https://github.com/timb-machine/linux-malware/issues/204)) +* https://github.com/pmorjan/kmod ([#654](https://github.com/timb-machine/linux-malware/issues/654)) - Persistence, Privilege Escalation, uses:Go, attack:T1547.006:Kernel Modules and Extensions, Linux +* https://github.com/ciscocxsecurity/unix-privesc-check ([#157](https://github.com/timb-machine/linux-malware/issues/157)) - Privilege Escalation +* https://github.com/vbpf/ebpf-samples ([#215](https://github.com/timb-machine/linux-malware/issues/215)) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1620:Reflective Code Loading, Device application sandboxing +* https://github.com/willshiao/node-bash-obfuscate ([#190](https://github.com/timb-machine/linux-malware/issues/190)) * https://github.com/anko/xkbcat ([#691](https://github.com/timb-machine/linux-malware/issues/691)) - Credential Access, Collection, attack:T1056.001:Keylogging, Linux, AIX, Solaris, HP-UX, Consumer, Internal enterprise services -* https://github.com/grisuno/LazyOwn ([#812](https://github.com/timb-machine/linux-malware/issues/812)) - Reconnaissance, Initial Access, Execution, Persistence, Privilege Escalation, Discovery, Collection, Command and Control, Linux -* https://github.com/akawashiro/sloader ([#521](https://github.com/timb-machine/linux-malware/issues/521)) - Defense Evasion, Linux * https://github.com/timb-machine-mirrors/CoolerVoid-casper-fs ([#216](https://github.com/timb-machine/linux-malware/issues/216)) -* https://chromium.googlesource.com/linux-syscall-support/ ([#533](https://github.com/timb-machine/linux-malware/issues/533)) - Linux -* https://github.com/CiscoCXSecurity/linikatz ([#156](https://github.com/timb-machine/linux-malware/issues/156)) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets, https://github.com/timb-machine/linux-malware/issues/141 -* https://github.com/metac0rtex/SSH-Key-Brute-Forcer ([#489](https://github.com/timb-machine/linux-malware/issues/489)) - Initial Access, Lateral Movement, Linux, Enclave deployment +* https://github.com/naksyn/Pyramid ([#630](https://github.com/timb-machine/linux-malware/issues/630)) - Persistence, Command and Control, Linux +* https://github.com/rebootuser/LinEnum ([#158](https://github.com/timb-machine/linux-malware/issues/158)) +* https://github.com/sevagas/swap_digger ([#515](https://github.com/timb-machine/linux-malware/issues/515)) - Credential Access, Linux * https://github.com/oldboy21/LDAP-Password-Hunter ([#167](https://github.com/timb-machine/linux-malware/issues/167)) -* https://github.com/DavidBuchanan314/monomorph ([#534](https://github.com/timb-machine/linux-malware/issues/534)) - Defense Evasion, Linux -* https://github.com/aojea/netkat ([#464](https://github.com/timb-machine/linux-malware/issues/464)) - Lateral Movement, Command and Control, attack:T1205.002:Socket Filters, Linux +* https://gtfobins.github.io/ ([#179](https://github.com/timb-machine/linux-malware/issues/179)) +* https://github.com/AlessandroZ/LaZagne ([#155](https://github.com/timb-machine/linux-malware/issues/155)) +* https://github.com/grisuno/LazyOwn ([#812](https://github.com/timb-machine/linux-malware/issues/812)) - Reconnaissance, Initial Access, Execution, Persistence, Privilege Escalation, Discovery, Collection, Command and Control, Linux +* https://github.com/elfmaster/maya ([#504](https://github.com/timb-machine/linux-malware/issues/504)) - Defense Evasion, Linux, Device application sandboxing +* https://github.com/nicocha30/ligolo-ng ([#699](https://github.com/timb-machine/linux-malware/issues/699)) - Command and Control, Exfiltration, Linux +* https://github.com/guitmz/memrun ([#592](https://github.com/timb-machine/linux-malware/issues/592)) - Defense Evasion, attack:T1620:Reflective Code Loading, uses:Non-persistentStorage, Linux +* https://packetstormsecurity.com/files/download/23045/statdx-scan.tar.gz ([#146](https://github.com/timb-machine/linux-malware/issues/146)) - Reconnaissance, pscan (similar code to luckscan) +* https://github.com/ropnop/kerbrute ([#176](https://github.com/timb-machine/linux-malware/issues/176)) +* https://github.com/ropnop/windapsearch ([#177](https://github.com/timb-machine/linux-malware/issues/177)) +* https://github.com/mnagel/gnome-keyring-dumper ([#186](https://github.com/timb-machine/linux-malware/issues/186)) * https://github.com/MatheuZSecurity/D3m0n1z3dShell ([#773](https://github.com/timb-machine/linux-malware/issues/773)) - Persistence, Linux -* https://github.com/zMarch/Orc ([#161](https://github.com/timb-machine/linux-malware/issues/161)) -* https://github.com/hackerschoice/ssh-key-backdoor ([#672](https://github.com/timb-machine/linux-malware/issues/672)) - Persistence, Defense Evasion, Linux, AIX, Solaris, HP-UX -* https://github.com/naksyn/Pyramid ([#630](https://github.com/timb-machine/linux-malware/issues/630)) - Persistence, Command and Control, Linux -* https://github.com/eeriedusk/nysm ([#761](https://github.com/timb-machine/linux-malware/issues/761)) - Persistence, Linux -* https://github.com/t3l3machus/Villain ([#591](https://github.com/timb-machine/linux-malware/issues/591)) - Command and Control, Linux * https://github.com/CiscoCXSecurity/sudo-parser ([#163](https://github.com/timb-machine/linux-malware/issues/163)) - Privilege Escalation -* https://github.com/guitmz/memrun ([#592](https://github.com/timb-machine/linux-malware/issues/592)) - Defense Evasion, attack:T1620:Reflective Code Loading, uses:Non-persistentStorage, Linux -* https://github.com/FiloSottile/age ([#166](https://github.com/timb-machine/linux-malware/issues/166)) +* https://github.com/akawashiro/sloader ([#521](https://github.com/timb-machine/linux-malware/issues/521)) - Defense Evasion, Linux +* https://github.com/fireeye/SSSDKCMExtractor ([#520](https://github.com/timb-machine/linux-malware/issues/520)) - attack:T1558:Steal or Forge Kerberos Tickets, Linux, Internal enterprise services, Enhanced identity governance +* https://github.com/DavidBuchanan314/stelf-loader ([#738](https://github.com/timb-machine/linux-malware/issues/738)) - Execution, Defense Evasion, uses:ProcessTreeSpoofing, uses:Non-persistentStorage, Linux +* https://github.com/netifera/netifera ([#194](https://github.com/timb-machine/linux-malware/issues/194)) +* https://github.com/JonathonReinhart/nosecmem ([#180](https://github.com/timb-machine/linux-malware/issues/180)) +* https://github.com/metac0rtex/SSH-Key-Brute-Forcer ([#489](https://github.com/timb-machine/linux-malware/issues/489)) - Initial Access, Lateral Movement, Linux, Enclave deployment +* https://github.com/DavidBuchanan314/monomorph ([#534](https://github.com/timb-machine/linux-malware/issues/534)) - Defense Evasion, Linux +* https://github.com/redcode-labs/Bashark ([#168](https://github.com/timb-machine/linux-malware/issues/168)) * https://github.com/NetSPI/sshkey-grab ([#619](https://github.com/timb-machine/linux-malware/issues/619)) - Credential Access, attack:T1552.004:Private Keys, attack:T1003.007:Proc Filesystem, attack:T1055.009:Proc Memory, Linux, Enhanced identity governance -* https://github.com/NetDirect/nfsshell ([#164](https://github.com/timb-machine/linux-malware/issues/164)) * https://github.com/alichtman/malware-techniques ([#199](https://github.com/timb-machine/linux-malware/issues/199)) -* https://github.com/Ne0nd0g/merlin ([#545](https://github.com/timb-machine/linux-malware/issues/545)) - Command and Control, Exfiltration, uses:Go, Merlin, Linux -* https://github.com/IvanGlinkin/AutoSUID ([#204](https://github.com/timb-machine/linux-malware/issues/204)) -* https://github.com/airbus-seclab/nbutools ([#689](https://github.com/timb-machine/linux-malware/issues/689)) - Discovery, Collection, Linux, AIX, Solaris, HP-UX, Banking, CNI, Telecomms, Internal enterprise services -* https://github.com/liamg/siphon ([#576](https://github.com/timb-machine/linux-malware/issues/576)) - Discovery, Collection, Linux - -### Offensive techniques - -* https://github.com/CiscoCXSecurity/presentations/raw/master/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf ([#241](https://github.com/timb-machine/linux-malware/issues/241)) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets -* https://www.archcloudlabs.com/projects/debuginfod/ ([#796](https://github.com/timb-machine/linux-malware/issues/796)) - Command and Control, Exfiltration, attack:T1071:Application Layer Protocol, attack:T1567:Exfiltration Over Web Service, Linux -* https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/ ([#236](https://github.com/timb-machine/linux-malware/issues/236)) -* https://grugq.github.io/docs/subversiveld.pdf ([#473](https://github.com/timb-machine/linux-malware/issues/473)) - Linux -* https://github.com/0xor0ne/debugoff ([#755](https://github.com/timb-machine/linux-malware/issues/755)) - Defense Evasion, uses:Rust, attack:T1622:Debugger Evasion, Linux -* https://n0.lol/ ([#227](https://github.com/timb-machine/linux-malware/issues/227)) -* https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html ([#683](https://github.com/timb-machine/linux-malware/issues/683)) - Defense Evasion, attack:T1629.003:Disable or Modify Tools, attack:T1547.006:Kernel Modules and Extensions, uses:Auditd, Linux -* https://buzzchronicles.com/Mollyycolllinss/b/internet/7795/ ([#475](https://github.com/timb-machine/linux-malware/issues/475)) - Linux -* https://rp.os3.nl/2016-2017/p97/report.pdf ([#234](https://github.com/timb-machine/linux-malware/issues/234)) -* http://www.ouah.org/LKM_HACKING.html ([#257](https://github.com/timb-machine/linux-malware/issues/257)) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions -* https://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/ ([#562](https://github.com/timb-machine/linux-malware/issues/562)) - Persistence, Defense Evasion, Command and Control, Linux, AIX, Solaris -* https://vxug.fakedoma.in/papers.html ([#228](https://github.com/timb-machine/linux-malware/issues/228)) -* https://rushter.com/blog/public-ssh-keys/ ([#754](https://github.com/timb-machine/linux-malware/issues/754)) - Initial Access, Discovery, Lateral Movement, attack:T1018:Remote System Discovery, attack:T1199:Trusted Relationship, attack:T1021.004:SSH, Linux, AIX, Solaris, HP-UX -* https://gtfoargs.github.io/ ([#626](https://github.com/timb-machine/linux-malware/issues/626)) - Initial Access, Execution -* http://lists.openstack.org/pipermail/openstack/2013-December/004138.html ([#244](https://github.com/timb-machine/linux-malware/issues/244)) -* https://www.akamai.com/blog/security-research/linux-lateral-movement-more-than-ssh ([#708](https://github.com/timb-machine/linux-malware/issues/708)) - Lateral Movement, Linux, AIX, Solaris, HP-UX -* http://www.foo.be/cours/mssi-20072008/davidoff-clearmem-linux.pdf ([#246](https://github.com/timb-machine/linux-malware/issues/246)) -* https://labs.portcullis.co.uk/presentations/breaking-the-links-exploiting-the-linker/ ([#238](https://github.com/timb-machine/linux-malware/issues/238)) -* https://www.elastic.co/guide/en/security/master/binary-executed-from-shared-memory-directory.html ([#611](https://github.com/timb-machine/linux-malware/issues/611)) - Defense Evasion -* https://devilinside.me/blogs/becoming-rat-your-system ([#256](https://github.com/timb-machine/linux-malware/issues/256)) -* https://blog.talosintelligence.com/2018/12/PortcullisActiveDirectory.html ([#240](https://github.com/timb-machine/linux-malware/issues/240)) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets -* https://rp.os3.nl/2016-2017/p59/presentation.pdf ([#233](https://github.com/timb-machine/linux-malware/issues/233)) -* https://gist.github.com/timb-machine/602d1a4dace4899babc1b6b5345d24b2 ([#550](https://github.com/timb-machine/linux-malware/issues/550)) - Defense Evasion, attack:T1562:Impair Defenses, Linux -* https://twitter.com/HuskyHacksMK/status/1578413641669308416 ([#541](https://github.com/timb-machine/linux-malware/issues/541)) - Defense Evasion, Linux, AIX, Solaris, HP-UX -* https://twitter.com/Alh4zr3d/status/1577649651376791552 ([#540](https://github.com/timb-machine/linux-malware/issues/540)) - Defense Evasion, Linux, AIX, Solaris, HP-UX +* https://github.com/pathtofile/bad-bpf ([#205](https://github.com/timb-machine/linux-malware/issues/205)) - uses:BPF +* https://github.com/creaktive/tsh ([#481](https://github.com/timb-machine/linux-malware/issues/481)) - TSH, TINYSHELL, APT31, UNC2891, LightBasin, Linux +* https://github.com/89luca89/pakkero ([#718](https://github.com/timb-machine/linux-malware/issues/718)) - Defense Evasion, attack:T1027.002:Software Packing, Linux +* https://vulners.com/metasploit/MSF:POST/LINUX/GATHER/GNOME_KEYRING_DUMP/ ([#188](https://github.com/timb-machine/linux-malware/issues/188)) + +### Offensive techniques + +* https://github.com/0xor0ne/debugoff ([#755](https://github.com/timb-machine/linux-malware/issues/755)) - Defense Evasion, uses:Rust, attack:T1622:Debugger Evasion, Linux +* https://sonarsource.github.io/argument-injection-vectors/ ([#627](https://github.com/timb-machine/linux-malware/issues/627)) - Initial Access, Execution +* https://rushter.com/blog/public-ssh-keys/ ([#754](https://github.com/timb-machine/linux-malware/issues/754)) - Initial Access, Discovery, Lateral Movement, attack:T1018:Remote System Discovery, attack:T1199:Trusted Relationship, attack:T1021.004:SSH, Linux, AIX, Solaris, HP-UX +* http://www.nth-dimension.org.uk/downloads.php?id=77 ([#237](https://github.com/timb-machine/linux-malware/issues/237)) * https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html ([#251](https://github.com/timb-machine/linux-malware/issues/251)) -* https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html ([#575](https://github.com/timb-machine/linux-malware/issues/575)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, attack:T1562:Impair Defenses, Linux +* https://rp.os3.nl/2016-2017/p97/report.pdf ([#234](https://github.com/timb-machine/linux-malware/issues/234)) +* https://twitter.com/David3141593/status/1575978540868435968 ([#532](https://github.com/timb-machine/linux-malware/issues/532)) - Linux +* https://github.com/hakivvi/ermir ([#579](https://github.com/timb-machine/linux-malware/issues/579)) - Initial Access, Lateral Movement, Linux, Internal enterprise services +* https://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ ([#239](https://github.com/timb-machine/linux-malware/issues/239)) +* https://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/ ([#562](https://github.com/timb-machine/linux-malware/issues/562)) - Persistence, Defense Evasion, Command and Control, Linux, AIX, Solaris * https://tmpout.sh/2/ ([#226](https://github.com/timb-machine/linux-malware/issues/226)) -* https://github.com/milabs/awesome-linux-rootkits ([#9](https://github.com/timb-machine/linux-malware/issues/9)) - Persistence, Linux -* https://twitter.com/Alh4zr3d/status/1578406155453276160 ([#539](https://github.com/timb-machine/linux-malware/issues/539)) - Defense Evasion, Linux, AIX, Solaris, HP-UX -* https://sysdig.com/blog/ebpf-offensive-capabilities/ ([#768](https://github.com/timb-machine/linux-malware/issues/768)) - Persistence, Defense Evasion, uses:eBPF, Linux -* https://gist.github.com/timb-machine/7bd75479ee29aee8762952ea16908eb0 ([#197](https://github.com/timb-machine/linux-malware/issues/197)) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, attack:T1202:Indirect Command Execution, Linux, AIX, Solaris, HP-UX, Device application sandboxing, Trust algorithm * https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph ([#800](https://github.com/timb-machine/linux-malware/issues/800)) - Defense Evasion, Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, attack:T1027:Obfuscated Files or Information, https://github.com/timb-machine/linux-malware/issues/791, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services -* https://twitter.com/brainsmoke/status/399558997994668033 ([#509](https://github.com/timb-machine/linux-malware/issues/509)) - Execution, Linux -* https://rp.os3.nl/2016-2017/p97/presentation.pdf ([#235](https://github.com/timb-machine/linux-malware/issues/235)) -* https://github.com/Sysinternals/SysmonForLinux/issues/83 ([#648](https://github.com/timb-machine/linux-malware/issues/648)) - Defense Evasion, Linux +* http://lists.openstack.org/pipermail/openstack/2013-December/004138.html ([#244](https://github.com/timb-machine/linux-malware/issues/244)) * http://shell-storm.org/api/?s=arm ([#243](https://github.com/timb-machine/linux-malware/issues/243)) -* https://2018.zeronights.ru/wp-content/uploads/materials/09-ELF-execution-in-Linux-RAM.pdf ([#436](https://github.com/timb-machine/linux-malware/issues/436)) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Linux, Device application sandboxing -* https://sysdig.com/blog/containers-read-only-fileless-malware/ ([#415](https://github.com/timb-machine/linux-malware/issues/415)) - Persistence, Defense Evasion, attack:T1202:Indirect Command Execution, attack:T1620:Reflective Code Loading, uses:Non-persistentStorage, uses:k8s, Linux, Cloud hosted services, Device application sandboxing -* https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal ([#665](https://github.com/timb-machine/linux-malware/issues/665)) - Initial Access, attack:T1190:Exploit Public-Facing Application, Mirai, Linux, IOT, Consumer -* https://www.sentinelone.com/blog/shadow-suid-for-privilege-persistence-part-1/ ([#430](https://github.com/timb-machine/linux-malware/issues/430)) - Persistence, Privilege Escalation, Defense Evasion, Linux, Device application sandboxing -* https://sonarsource.github.io/argument-injection-vectors/ ([#627](https://github.com/timb-machine/linux-malware/issues/627)) - Initial Access, Execution -* https://github.com/hakivvi/ermir ([#579](https://github.com/timb-machine/linux-malware/issues/579)) - Initial Access, Lateral Movement, Linux, Internal enterprise services -* https://pbs.twimg.com/media/FSi1m3gXsAA79yF?format=jpg&name=medium ([#428](https://github.com/timb-machine/linux-malware/issues/428)) - Persistence, Linux, Device application sandboxing -* https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 ([#461](https://github.com/timb-machine/linux-malware/issues/461)) - Persistence, Defense Evasion, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, Linux, AIX, Solaris, HP-UX, Trust algorithm -* https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html ([#705](https://github.com/timb-machine/linux-malware/issues/705)) - Persistence, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attacK:T1548:Abuse Elevation Control Mechanism, https://github.com/timb-machine/linux-malware/issues/669, Linux -* https://blog.vibri.us/BeyondTrust-AD-Bridge-Open-Post-Exploitation/ ([#635](https://github.com/timb-machine/linux-malware/issues/635)) - Credential Access, Discovery, attack:T1087.002:Domain Account, Linux, Internal enterprise services * https://www.form3.tech/engineering/content/bypassing-ebpf-tools ([#584](https://github.com/timb-machine/linux-malware/issues/584)) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux -* https://www.cs.dartmouth.edu/~sergey/cs258/2010/spainhower_DT.pdf ([#555](https://github.com/timb-machine/linux-malware/issues/555)) - Persistence, Defense Evasion, uses:DTrace, SInAR, https://github.com/timb-machine/linux-malware/issues/553, https://github.com/timb-machine/linux-malware/issues/554, Archim, Solaris, Internal specialist services, Device application sandboxing +* https://twitter.com/brainsmoke/status/399558997994668033 ([#509](https://github.com/timb-machine/linux-malware/issues/509)) - Execution, Linux +* https://labs.portcullis.co.uk/presentations/breaking-the-links-exploiting-the-linker/ ([#238](https://github.com/timb-machine/linux-malware/issues/238)) * https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 ([#653](https://github.com/timb-machine/linux-malware/issues/653)) - Initial Access, Credential Access, attack:T1110:Brute Force, attack:T1078:Valid Accounts, Linux, AIX, Solaris, HP-UX, Consumer, Cloud hosted services, Internal enterprise services, Internal specialist services -* https://github.com/CiscoCXSecurity/linikatz/issues ([#230](https://github.com/timb-machine/linux-malware/issues/230)) -* https://twitter.com/David3141593/status/1575978540868435968 ([#532](https://github.com/timb-machine/linux-malware/issues/532)) - Linux -* https://medium.com/confluera-engineering/reflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301 ([#250](https://github.com/timb-machine/linux-malware/issues/250)) -* https://www.guitmz.com/running-elf-from-memory/ ([#252](https://github.com/timb-machine/linux-malware/issues/252)) -* http://www.hick.org/code/skape/papers/remote-library-injection.pdf ([#455](https://github.com/timb-machine/linux-malware/issues/455)) - Persistence, Linux -* http://archive.hack.lu/2019/Fileless-Malware-Infection-and-Linux-Process-Injection-in-Linux-OS.pdf ([#242](https://github.com/timb-machine/linux-malware/issues/242)) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Device application sandboxing +* http://www.foo.be/cours/mssi-20072008/davidoff-clearmem-linux.pdf ([#246](https://github.com/timb-machine/linux-malware/issues/246)) * https://packetstormsecurity.com/files/34013/0x4553-Static_Infecting.html ([#255](https://github.com/timb-machine/linux-malware/issues/255)) -* https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf ([#248](https://github.com/timb-machine/linux-malware/issues/248)) +* http://www.hick.org/code/skape/papers/remote-library-injection.pdf ([#455](https://github.com/timb-machine/linux-malware/issues/455)) - Persistence, Linux +* https://github.com/CiscoCXSecurity/presentations/raw/master/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf ([#241](https://github.com/timb-machine/linux-malware/issues/241)) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets +* https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html ([#575](https://github.com/timb-machine/linux-malware/issues/575)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, attack:T1562:Impair Defenses, Linux +* https://www.cs.dartmouth.edu/~sergey/cs258/2010/spainhower_DT.pdf ([#555](https://github.com/timb-machine/linux-malware/issues/555)) - Persistence, Defense Evasion, uses:DTrace, SInAR, https://github.com/timb-machine/linux-malware/issues/553, https://github.com/timb-machine/linux-malware/issues/554, Archim, Solaris, Internal specialist services, Device application sandboxing +* https://www.guitmz.com/running-elf-from-memory/ ([#252](https://github.com/timb-machine/linux-malware/issues/252)) * https://rp.os3.nl/2016-2017/p59/report.pdf ([#232](https://github.com/timb-machine/linux-malware/issues/232)) -* http://hick.org/code/skape/papers/needle.txt ([#557](https://github.com/timb-machine/linux-malware/issues/557)) - Persistence, Defense Evasion, Linux -* https://is.muni.cz/el/fi/jaro2011/PV204/um/LinuxRootkits/sys_call_table_complete.htm ([#254](https://github.com/timb-machine/linux-malware/issues/254)) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions -* https://grugq.github.io/docs/ul_exec.txt ([#463](https://github.com/timb-machine/linux-malware/issues/463)) - Persistence, Defense Evasion, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, Linux, Trust algorithm +* https://gist.github.com/timb-machine/7bd75479ee29aee8762952ea16908eb0 ([#197](https://github.com/timb-machine/linux-malware/issues/197)) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, attack:T1202:Indirect Command Execution, Linux, AIX, Solaris, HP-UX, Device application sandboxing, Trust algorithm +* http://archive.hack.lu/2019/Fileless-Malware-Infection-and-Linux-Process-Injection-in-Linux-OS.pdf ([#242](https://github.com/timb-machine/linux-malware/issues/242)) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Device application sandboxing +* https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html ([#683](https://github.com/timb-machine/linux-malware/issues/683)) - Defense Evasion, attack:T1629.003:Disable or Modify Tools, attack:T1547.006:Kernel Modules and Extensions, uses:Auditd, Linux +* https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf ([#245](https://github.com/timb-machine/linux-malware/issues/245)) +* https://sysdig.com/blog/ebpf-offensive-capabilities/ ([#768](https://github.com/timb-machine/linux-malware/issues/768)) - Persistence, Defense Evasion, uses:eBPF, Linux +* https://gist.github.com/timb-machine/602d1a4dace4899babc1b6b5345d24b2 ([#550](https://github.com/timb-machine/linux-malware/issues/550)) - Defense Evasion, attack:T1562:Impair Defenses, Linux +* https://pbs.twimg.com/media/FSi1m3gXsAA79yF?format=jpg&name=medium ([#428](https://github.com/timb-machine/linux-malware/issues/428)) - Persistence, Linux, Device application sandboxing +* https://www.archcloudlabs.com/projects/debuginfod/ ([#796](https://github.com/timb-machine/linux-malware/issues/796)) - Command and Control, Exfiltration, attack:T1071:Application Layer Protocol, attack:T1567:Exfiltration Over Web Service, Linux +* https://medium.com/confluera-engineering/reflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301 ([#250](https://github.com/timb-machine/linux-malware/issues/250)) +* https://www.akamai.com/blog/security-research/linux-lateral-movement-more-than-ssh ([#708](https://github.com/timb-machine/linux-malware/issues/708)) - Lateral Movement, Linux, AIX, Solaris, HP-UX +* https://rosesecurityresearch.com/crafting-malicious-pluggable-authentication-modules-for-persistence-privilege-escalation-and-lateral-movement ([#772](https://github.com/timb-machine/linux-malware/issues/772)) - Persistence, Defense Evasion, Credential Access, attack:T1556.003:Pluggable Authentication Modules, Linux * https://www.blackhat.com/presentations/bh-dc-08/Beauchamp-Weston/Whitepaper/bh-dc-08-beauchamp-weston-WP.pdf ([#556](https://github.com/timb-machine/linux-malware/issues/556)) - Persistence, Defense Evasion, uses:DTrace, Solaris, Internal specialist services, Device application sandboxing -* https://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ ([#239](https://github.com/timb-machine/linux-malware/issues/239)) -* https://blog.xpnsec.com/linux-process-injection-aka-injecting-into-sshd-for-fun/ ([#558](https://github.com/timb-machine/linux-malware/issues/558)) - Persistence, Defense Evasion, Linux +* https://github.com/Sysinternals/SysmonForLinux/issues/83 ([#648](https://github.com/timb-machine/linux-malware/issues/648)) - Defense Evasion, Linux +* https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 ([#461](https://github.com/timb-machine/linux-malware/issues/461)) - Persistence, Defense Evasion, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, Linux, AIX, Solaris, HP-UX, Trust algorithm +* https://tmpout.sh/1/ ([#225](https://github.com/timb-machine/linux-malware/issues/225)) * https://c3media.vsos.ethz.ch/congress/2004/papers/057%20SUN%20Bloody%20Daft%20Solaris%20Mechanisms.pdf ([#554](https://github.com/timb-machine/linux-malware/issues/554)) - Persistence, Defense Evasion, uses:DTrace, SInAR, https://github.com/timb-machine/linux-malware/issues/553, Archim, Solaris, Internal specialist services, Device application sandboxing -* https://rosesecurityresearch.com/crafting-malicious-pluggable-authentication-modules-for-persistence-privilege-escalation-and-lateral-movement ([#772](https://github.com/timb-machine/linux-malware/issues/772)) - Persistence, Defense Evasion, Credential Access, attack:T1556.003:Pluggable Authentication Modules, Linux +* https://github.com/elfmaster/scop_virus_paper ([#253](https://github.com/timb-machine/linux-malware/issues/253)) +* https://twitter.com/HuskyHacksMK/status/1578413641669308416 ([#541](https://github.com/timb-machine/linux-malware/issues/541)) - Defense Evasion, Linux, AIX, Solaris, HP-UX +* https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html ([#705](https://github.com/timb-machine/linux-malware/issues/705)) - Persistence, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attacK:T1548:Abuse Elevation Control Mechanism, https://github.com/timb-machine/linux-malware/issues/669, Linux +* http://hick.org/code/skape/papers/needle.txt ([#557](https://github.com/timb-machine/linux-malware/issues/557)) - Persistence, Defense Evasion, Linux * https://github.com/rapid7/ssh-badkeys ([#538](https://github.com/timb-machine/linux-malware/issues/538)) - Initial Access, Linux, AIX, Solaris, HP-UX -* https://blog.fbkcs.ru/en/elf-in-memory-execution/ ([#249](https://github.com/timb-machine/linux-malware/issues/249)) -* https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html ([#462](https://github.com/timb-machine/linux-malware/issues/462)) - Defense Evasion, Discovery, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, attack:T1057:Process Discovery, attack:T1620:Reflective Code Loading, Linux, AIX, Solaris, HP-UX, Trust algorithm -* https://www.tarlogic.com/blog/how-to-attack-kerberos/ ([#229](https://github.com/timb-machine/linux-malware/issues/229)) -* https://tmpout.sh/1/ ([#225](https://github.com/timb-machine/linux-malware/issues/225)) +* https://devilinside.me/blogs/becoming-rat-your-system ([#256](https://github.com/timb-machine/linux-malware/issues/256)) +* https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal ([#665](https://github.com/timb-machine/linux-malware/issues/665)) - Initial Access, attack:T1190:Exploit Public-Facing Application, Mirai, Linux, IOT, Consumer * https://www.first.org/resources/papers/telaviv2019/Rezilion-Shlomi-Butnaro-Beyond-Whitelisting-Fileless-Attacks-Against-L....pdf ([#231](https://github.com/timb-machine/linux-malware/issues/231)) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Device application sandboxing * https://blog.doyensec.com/2022/10/11/ebpf-bypass-security-monitoring.html ([#567](https://github.com/timb-machine/linux-malware/issues/567)) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux -* https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf ([#245](https://github.com/timb-machine/linux-malware/issues/245)) -* http://www.nth-dimension.org.uk/downloads.php?id=77 ([#237](https://github.com/timb-machine/linux-malware/issues/237)) -* https://github.com/elfmaster/scop_virus_paper ([#253](https://github.com/timb-machine/linux-malware/issues/253)) +* https://is.muni.cz/el/fi/jaro2011/PV204/um/LinuxRootkits/sys_call_table_complete.htm ([#254](https://github.com/timb-machine/linux-malware/issues/254)) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions +* https://www.sentinelone.com/blog/shadow-suid-for-privilege-persistence-part-1/ ([#430](https://github.com/timb-machine/linux-malware/issues/430)) - Persistence, Privilege Escalation, Defense Evasion, Linux, Device application sandboxing +* https://grugq.github.io/docs/ul_exec.txt ([#463](https://github.com/timb-machine/linux-malware/issues/463)) - Persistence, Defense Evasion, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, Linux, Trust algorithm * https://medium.com/verint-cyber-engineering/linux-threat-hunting-primer-part-ii-69484f58ac92 ([#247](https://github.com/timb-machine/linux-malware/issues/247)) +* https://blog.vibri.us/BeyondTrust-AD-Bridge-Open-Post-Exploitation/ ([#635](https://github.com/timb-machine/linux-malware/issues/635)) - Credential Access, Discovery, attack:T1087.002:Domain Account, Linux, Internal enterprise services +* https://rp.os3.nl/2016-2017/p59/presentation.pdf ([#233](https://github.com/timb-machine/linux-malware/issues/233)) +* https://gtfoargs.github.io/ ([#626](https://github.com/timb-machine/linux-malware/issues/626)) - Initial Access, Execution +* https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/ ([#236](https://github.com/timb-machine/linux-malware/issues/236)) +* https://grugq.github.io/docs/subversiveld.pdf ([#473](https://github.com/timb-machine/linux-malware/issues/473)) - Linux +* https://github.com/milabs/awesome-linux-rootkits ([#9](https://github.com/timb-machine/linux-malware/issues/9)) - Persistence, Linux +* https://blog.talosintelligence.com/2018/12/PortcullisActiveDirectory.html ([#240](https://github.com/timb-machine/linux-malware/issues/240)) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets +* https://n0.lol/ ([#227](https://github.com/timb-machine/linux-malware/issues/227)) +* https://www.elastic.co/guide/en/security/master/binary-executed-from-shared-memory-directory.html ([#611](https://github.com/timb-machine/linux-malware/issues/611)) - Defense Evasion +* https://twitter.com/Alh4zr3d/status/1577649651376791552 ([#540](https://github.com/timb-machine/linux-malware/issues/540)) - Defense Evasion, Linux, AIX, Solaris, HP-UX +* https://twitter.com/Alh4zr3d/status/1578406155453276160 ([#539](https://github.com/timb-machine/linux-malware/issues/539)) - Defense Evasion, Linux, AIX, Solaris, HP-UX +* https://sysdig.com/blog/containers-read-only-fileless-malware/ ([#415](https://github.com/timb-machine/linux-malware/issues/415)) - Persistence, Defense Evasion, attack:T1202:Indirect Command Execution, attack:T1620:Reflective Code Loading, uses:Non-persistentStorage, uses:k8s, Linux, Cloud hosted services, Device application sandboxing +* https://blog.fbkcs.ru/en/elf-in-memory-execution/ ([#249](https://github.com/timb-machine/linux-malware/issues/249)) +* https://github.com/CiscoCXSecurity/linikatz/issues ([#230](https://github.com/timb-machine/linux-malware/issues/230)) +* https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf ([#248](https://github.com/timb-machine/linux-malware/issues/248)) +* https://rp.os3.nl/2016-2017/p97/presentation.pdf ([#235](https://github.com/timb-machine/linux-malware/issues/235)) +* https://www.tarlogic.com/blog/how-to-attack-kerberos/ ([#229](https://github.com/timb-machine/linux-malware/issues/229)) +* https://buzzchronicles.com/Mollyycolllinss/b/internet/7795/ ([#475](https://github.com/timb-machine/linux-malware/issues/475)) - Linux +* https://blog.xpnsec.com/linux-process-injection-aka-injecting-into-sshd-for-fun/ ([#558](https://github.com/timb-machine/linux-malware/issues/558)) - Persistence, Defense Evasion, Linux +* http://www.ouah.org/LKM_HACKING.html ([#257](https://github.com/timb-machine/linux-malware/issues/257)) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions +* https://2018.zeronights.ru/wp-content/uploads/materials/09-ELF-execution-in-Linux-RAM.pdf ([#436](https://github.com/timb-machine/linux-malware/issues/436)) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Linux, Device application sandboxing +* https://vxug.fakedoma.in/papers.html ([#228](https://github.com/timb-machine/linux-malware/issues/228)) +* https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html ([#462](https://github.com/timb-machine/linux-malware/issues/462)) - Defense Evasion, Discovery, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, attack:T1057:Process Discovery, attack:T1620:Reflective Code Loading, Linux, AIX, Solaris, HP-UX, Trust algorithm ## Defensive research ### Defensive tools -* https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505 ([#451](https://github.com/timb-machine/linux-malware/issues/451)) - Linux -* https://github.com/stratosphereips/StratosphereLinuxIPS ([#811](https://github.com/timb-machine/linux-malware/issues/811)) - Execution, Persistence, Privilege Escalation, Defense Evasion, Linux -* https://github.com/sandflysecurity/sandfly-processdecloak ([#633](https://github.com/timb-machine/linux-malware/issues/633)) - Defense Evasion, Linux -* https://github.com/david942j/seccomp-tools ([#590](https://github.com/timb-machine/linux-malware/issues/590)) - Defense Evasion, Linux -* https://github.com/op7ic/unix_collector ([#266](https://github.com/timb-machine/linux-malware/issues/266)) - Solaris, Linux, AIX, OS X -* https://twitter.com/timb_machine/status/1523253031382687744 ([#421](https://github.com/timb-machine/linux-malware/issues/421)) - Command and Control, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/420, DecisiveArchitect, Solaris -* https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought/ ([#274](https://github.com/timb-machine/linux-malware/issues/274)) -* https://github.com/NozomiNetworks/upx-recovery-tool ([#535](https://github.com/timb-machine/linux-malware/issues/535)) - Defense Evasion, attack:T1027.002:Software Packing, Linux -* https://github.com/evilsocket/ebpf-process-anomaly-detection ([#497](https://github.com/timb-machine/linux-malware/issues/497)) - Execution, Linux -* https://github.com/ancat/egrets ([#218](https://github.com/timb-machine/linux-malware/issues/218)) -* https://github.com/M00NLIG7/ChopChopGo ([#674](https://github.com/timb-machine/linux-malware/issues/674)) - Defense Evasion, Linux -* https://github.com/Gui774ume/ebpfkit-monitor ([#467](https://github.com/timb-machine/linux-malware/issues/467)) - Persistence, Defense Evasion, Discovery, Command and Control, Linux -* https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/mitre-att-amp-ck-technique-coverage-with-sysmon-for-linux/ba-p/2858219 ([#269](https://github.com/timb-machine/linux-malware/issues/269)) -* https://github.com/chainguard-dev/osquery-defense-kit ([#574](https://github.com/timb-machine/linux-malware/issues/574)) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Command and Control, Exfiltration, Linux * https://www.volatilityfoundation.org/releases-vol3 ([#457](https://github.com/timb-machine/linux-malware/issues/457)) - Persistence, Defense Evasion, Linux, Consumer, Cloud hosted services, Internal enterprise services, Internal specialist services, Enterprise with public/Customer-facing services, Device application sandboxing +* https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/ ([#276](https://github.com/timb-machine/linux-malware/issues/276)) +* https://twitter.com/inversecos/status/1527188391347068928 ([#435](https://github.com/timb-machine/linux-malware/issues/435)) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris, Device application sandboxing +* https://github.com/M00NLIG7/ChopChopGo ([#674](https://github.com/timb-machine/linux-malware/issues/674)) - Defense Evasion, Linux +* https://github.com/NozomiNetworks/upx-recovery-tool ([#535](https://github.com/timb-machine/linux-malware/issues/535)) - Defense Evasion, attack:T1027.002:Software Packing, Linux * https://github.com/snapattack/bpfdoor-scanner ([#437](https://github.com/timb-machine/linux-malware/issues/437)) - Persistence, Defense Evasion, Command and Control, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205.002:Socket Filters, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect -* https://blog.blockmagnates.com/hunt-linux-malware-with-cgroups-497733095a94 ([#472](https://github.com/timb-machine/linux-malware/issues/472)) - Linux * https://github.com/monnappa22/Limon ([#258](https://github.com/timb-machine/linux-malware/issues/258)) -* https://github.com/niveb/NoCrypt ([#673](https://github.com/timb-machine/linux-malware/issues/673)) - Impact, attack:T1486:Data Encrypted for Impact, attack:T1547.006:Kernel Modules and Extensions, Linux -* https://github.com/CYB3RMX/Qu1cksc0pe ([#696](https://github.com/timb-machine/linux-malware/issues/696)) - Defense Evasion, Linux -* https://github.com/sourque/louis ([#411](https://github.com/timb-machine/linux-malware/issues/411)) - Linux, Device application sandboxing -* https://github.com/tclahr/uac ([#583](https://github.com/timb-machine/linux-malware/issues/583)) - Persistence, Defense Evasion, Linux -* https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/ ([#275](https://github.com/timb-machine/linux-malware/issues/275)) -* https://github.com/504ensicsLabs/LiME ([#187](https://github.com/timb-machine/linux-malware/issues/187)) +* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf ([#449](https://github.com/timb-machine/linux-malware/issues/449)) - Persistence, Defense Evasion, Credential Access, Command and Control, https://github.com/timb-machine/linux-malware/issues/156, https://github.com/timb-machine/linux-malware/issues/418, https://github.com/timb-machine/linux-malware/issues/420, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1005:Data from Local System, attack:T1083:File and Directory Discovery, attack:T1003:OS Credential Dumping, attack:T1558:Steal or Forge Kerberos Tickets, BPFDoor, Linikatz, Linux * https://github.com/Gui774ume/krie ([#498](https://github.com/timb-machine/linux-malware/issues/498)) - Defense Evasion, Privilege Escalation, Persistence, uses:eBPF, attack:T1620:Reflective Code Loading, attack:T1574:Hijack Execution Flow, attack:T1068:Exploitation for Privilege Escalation, attack:T1562.001:Disable or Modify Tools, attack:T1548:Abuse Elevation Control Mechanism, Linux -* https://github.com/alex-cart/LEAF ([#445](https://github.com/timb-machine/linux-malware/issues/445)) - Linux -* https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/ ([#277](https://github.com/timb-machine/linux-malware/issues/277)) -* https://github.com/0xrawsec/kunai ([#749](https://github.com/timb-machine/linux-malware/issues/749)) - Defense Evasion, Linux -* https://twitter.com/ldsopreload/status/1583178316286029824 ([#568](https://github.com/timb-machine/linux-malware/issues/568)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/569, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux -* https://github.com/falcosecurity/falco ([#412](https://github.com/timb-machine/linux-malware/issues/412)) - Linux, Device application sandboxing -* https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Fixing-A-Memory-Forensics-Blind-Spot-Linux-Kernel-Tracing-wp.pdf ([#423](https://github.com/timb-machine/linux-malware/issues/423)) - Persistence, Privilege Escalation, Defense Evasion, Credential Access, Collection, Command and Control, Exfiltration, Linux -* https://twitter.com/inversecos/status/1527188391347068928 ([#435](https://github.com/timb-machine/linux-malware/issues/435)) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris, Device application sandboxing * https://bazaar.abuse.ch/ ([#259](https://github.com/timb-machine/linux-malware/issues/259)) +* https://grsecurity.net/tetragone_a_lesson_in_security_fundamentals ([#450](https://github.com/timb-machine/linux-malware/issues/450)) - Persistence, Privilege Escalation, Defense Evasion, Linux +* https://medium.com/confluera-engineering/detection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014 ([#278](https://github.com/timb-machine/linux-malware/issues/278)) +* https://github.com/Gui774ume/ebpfkit-monitor ([#467](https://github.com/timb-machine/linux-malware/issues/467)) - Persistence, Defense Evasion, Discovery, Command and Control, Linux +* https://twitter.com/timb_machine/status/1523253031382687744 ([#421](https://github.com/timb-machine/linux-malware/issues/421)) - Command and Control, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/420, DecisiveArchitect, Solaris +* https://github.com/threathunters-io/laurel ([#581](https://github.com/timb-machine/linux-malware/issues/581)) - Defense Evasion, Linux +* https://github.com/sandflysecurity/sandfly-entropyscan ([#632](https://github.com/timb-machine/linux-malware/issues/632)) - Defense Evasion, Linux +* https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought/ ([#274](https://github.com/timb-machine/linux-malware/issues/274)) +* https://github.com/sourque/louis ([#411](https://github.com/timb-machine/linux-malware/issues/411)) - Linux, Device application sandboxing * https://youtu.be/16_EAsYAApI ([#438](https://github.com/timb-machine/linux-malware/issues/438)) - Linux +* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac ([#569](https://github.com/timb-machine/linux-malware/issues/569)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/568, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux +* https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505 ([#451](https://github.com/timb-machine/linux-malware/issues/451)) - Linux +* https://github.com/avilum/secimport ([#748](https://github.com/timb-machine/linux-malware/issues/748)) - Persistence, Defense Evasion, Linux +* https://tbhaxor.com/hunting-malicious-binaries-in-containers/ ([#272](https://github.com/timb-machine/linux-malware/issues/272)) +* https://github.com/vmware/kernel-event-collector-module ([#271](https://github.com/timb-machine/linux-malware/issues/271)) - Carbon Black +* https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/ ([#277](https://github.com/timb-machine/linux-malware/issues/277)) +* https://github.com/signalblur/impelf ([#647](https://github.com/timb-machine/linux-malware/issues/647)) - Defense Evasion, Linux * https://twitter.com/ldsopreload/status/1582780282758828035 ([#571](https://github.com/timb-machine/linux-malware/issues/571)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/570, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux -* https://elastic.github.io/security-research/intelligence/2022/03/03.dirty-pipe/article/ ([#265](https://github.com/timb-machine/linux-malware/issues/265)) +* https://github.com/tstromberg/sunlight ([#794](https://github.com/timb-machine/linux-malware/issues/794)) - Defense Evasion, uses:eBPF, Linux +* https://github.com/chainguard-dev/osquery-defense-kit ([#574](https://github.com/timb-machine/linux-malware/issues/574)) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Command and Control, Exfiltration, Linux +* https://github.com/op7ic/unix_collector ([#266](https://github.com/timb-machine/linux-malware/issues/266)) - Solaris, Linux, AIX, OS X +* https://github.com/0xrawsec/kunai ([#749](https://github.com/timb-machine/linux-malware/issues/749)) - Defense Evasion, Linux * https://www.rfxn.com/projects/linux-malware-detect/ ([#261](https://github.com/timb-machine/linux-malware/issues/261)) -* https://github.com/signalblur/impelf ([#647](https://github.com/timb-machine/linux-malware/issues/647)) - Defense Evasion, Linux -* https://github.com/deepfence/ebpfguard ([#697](https://github.com/timb-machine/linux-malware/issues/697)) - Defense Evasion, Linux -* https://github.com/sandflysecurity/sandfly-entropyscan ([#632](https://github.com/timb-machine/linux-malware/issues/632)) - Defense Evasion, Linux -* https://github.com/hardenedvault/ved-ebpf ([#737](https://github.com/timb-machine/linux-malware/issues/737)) - Execution, Privilege Escalation, Defense Evasion, attack:T1574:Hijack Execution Flow, attack:T1548.001:Setuid and Setgid, attack:T1620:Reflective Code Loading, attack:T1068:Exploitation for Privilege Escalation, uses:eBPF, Linux -* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac ([#569](https://github.com/timb-machine/linux-malware/issues/569)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/568, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux +* https://twitter.com/ldsopreload/status/1583178316286029824 ([#568](https://github.com/timb-machine/linux-malware/issues/568)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/569, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux +* https://blog.blockmagnates.com/hunt-linux-malware-with-cgroups-497733095a94 ([#472](https://github.com/timb-machine/linux-malware/issues/472)) - Linux +* https://github.com/falcosecurity/falco ([#412](https://github.com/timb-machine/linux-malware/issues/412)) - Linux, Device application sandboxing +* https://github.com/david942j/seccomp-tools ([#590](https://github.com/timb-machine/linux-malware/issues/590)) - Defense Evasion, Linux +* https://github.com/evilsocket/ebpf-process-anomaly-detection ([#497](https://github.com/timb-machine/linux-malware/issues/497)) - Execution, Linux +* https://github.com/alex-cart/LEAF ([#445](https://github.com/timb-machine/linux-malware/issues/445)) - Linux * https://github.com/marin-m/vmlinux-to-elf ([#726](https://github.com/timb-machine/linux-malware/issues/726)) - Defense Evasion, attack:T1601:Modify System Image, Linux +* https://github.com/stratosphereips/StratosphereLinuxIPS ([#811](https://github.com/timb-machine/linux-malware/issues/811)) - Execution, Persistence, Privilege Escalation, Defense Evasion, Linux +* https://github.com/sandflysecurity/sandfly-file-decloak ([#634](https://github.com/timb-machine/linux-malware/issues/634)) - Defense Evasion, Linux +* https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Fixing-A-Memory-Forensics-Blind-Spot-Linux-Kernel-Tracing-wp.pdf ([#423](https://github.com/timb-machine/linux-malware/issues/423)) - Persistence, Privilege Escalation, Defense Evasion, Credential Access, Collection, Command and Control, Exfiltration, Linux +* https://github.com/Achiefs/fim ([#779](https://github.com/timb-machine/linux-malware/issues/779)) - Credential Access, Defense Evasion, Persistence, attack:T1556.003:Pluggable Authentication Modules, attack:T1562.012:Disable or Modify Linux Audit System, attack:T1601:Modify System Image, Linux * https://elfdigest.com/ ([#262](https://github.com/timb-machine/linux-malware/issues/262)) -* https://github.com/sqall01/LSMS ([#610](https://github.com/timb-machine/linux-malware/issues/610)) - Defense Evasion, Linux -* https://github.com/vmware/kernel-event-collector-module ([#271](https://github.com/timb-machine/linux-malware/issues/271)) - Carbon Black -* https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/ ([#276](https://github.com/timb-machine/linux-malware/issues/276)) -* https://github.com/jafarlihi/modreveal ([#609](https://github.com/timb-machine/linux-malware/issues/609)) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions, Linux -* https://grsecurity.net/tetragone_a_lesson_in_security_fundamentals ([#450](https://github.com/timb-machine/linux-malware/issues/450)) - Persistence, Privilege Escalation, Defense Evasion, Linux -* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf ([#449](https://github.com/timb-machine/linux-malware/issues/449)) - Persistence, Defense Evasion, Credential Access, Command and Control, https://github.com/timb-machine/linux-malware/issues/156, https://github.com/timb-machine/linux-malware/issues/418, https://github.com/timb-machine/linux-malware/issues/420, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1005:Data from Local System, attack:T1083:File and Directory Discovery, attack:T1003:OS Credential Dumping, attack:T1558:Steal or Forge Kerberos Tickets, BPFDoor, Linikatz, Linux -* https://github.com/tstromberg/sunlight ([#794](https://github.com/timb-machine/linux-malware/issues/794)) - Defense Evasion, uses:eBPF, Linux +* https://github.com/hardenedvault/ved-ebpf ([#737](https://github.com/timb-machine/linux-malware/issues/737)) - Execution, Privilege Escalation, Defense Evasion, attack:T1574:Hijack Execution Flow, attack:T1548.001:Setuid and Setgid, attack:T1620:Reflective Code Loading, attack:T1068:Exploitation for Privilege Escalation, uses:eBPF, Linux +* https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/ ([#268](https://github.com/timb-machine/linux-malware/issues/268)) +* https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/mitre-att-amp-ck-technique-coverage-with-sysmon-for-linux/ba-p/2858219 ([#269](https://github.com/timb-machine/linux-malware/issues/269)) +* https://elastic.github.io/security-research/intelligence/2022/03/03.dirty-pipe/article/ ([#265](https://github.com/timb-machine/linux-malware/issues/265)) +* https://github.com/niveb/NoCrypt ([#673](https://github.com/timb-machine/linux-malware/issues/673)) - Impact, attack:T1486:Data Encrypted for Impact, attack:T1547.006:Kernel Modules and Extensions, Linux +* https://github.com/tclahr/uac ([#583](https://github.com/timb-machine/linux-malware/issues/583)) - Persistence, Defense Evasion, Linux +* https://github.com/ancat/egrets ([#218](https://github.com/timb-machine/linux-malware/issues/218)) +* https://github.com/sandflysecurity/sandfly-processdecloak ([#633](https://github.com/timb-machine/linux-malware/issues/633)) - Defense Evasion, Linux +* https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace ([#570](https://github.com/timb-machine/linux-malware/issues/570)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/571, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux +* https://github.com/504ensicsLabs/LiME ([#187](https://github.com/timb-machine/linux-malware/issues/187)) +* https://github.com/CYB3RMX/Qu1cksc0pe ([#696](https://github.com/timb-machine/linux-malware/issues/696)) - Defense Evasion, Linux +* https://github.com/chriskaliX/Hades ([#514](https://github.com/timb-machine/linux-malware/issues/514)) - Linux +* https://github.com/nikhilh-20/ELFEN ([#764](https://github.com/timb-machine/linux-malware/issues/764)) - Defense Evasion, Linux * https://github.com/elfmaster/avu32 ([#273](https://github.com/timb-machine/linux-malware/issues/273)) +* https://github.com/sqall01/LSMS ([#610](https://github.com/timb-machine/linux-malware/issues/610)) - Defense Evasion, Linux * https://www.virustotal.com/gui/ ([#260](https://github.com/timb-machine/linux-malware/issues/260)) -* https://github.com/chriskaliX/Hades ([#514](https://github.com/timb-machine/linux-malware/issues/514)) - Linux -* https://medium.com/confluera-engineering/detection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014 ([#278](https://github.com/timb-machine/linux-malware/issues/278)) -* https://github.com/sandflysecurity/sandfly-file-decloak ([#634](https://github.com/timb-machine/linux-malware/issues/634)) - Defense Evasion, Linux -* https://tbhaxor.com/hunting-malicious-binaries-in-containers/ ([#272](https://github.com/timb-machine/linux-malware/issues/272)) -* https://github.com/threathunters-io/laurel ([#581](https://github.com/timb-machine/linux-malware/issues/581)) - Defense Evasion, Linux -* https://github.com/avilum/secimport ([#748](https://github.com/timb-machine/linux-malware/issues/748)) - Persistence, Defense Evasion, Linux +* https://github.com/jafarlihi/modreveal ([#609](https://github.com/timb-machine/linux-malware/issues/609)) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions, Linux +* https://github.com/deepfence/ebpfguard ([#697](https://github.com/timb-machine/linux-malware/issues/697)) - Defense Evasion, Linux +* https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/ ([#275](https://github.com/timb-machine/linux-malware/issues/275)) * https://tria.ge/ ([#263](https://github.com/timb-machine/linux-malware/issues/263)) -* https://github.com/Achiefs/fim ([#779](https://github.com/timb-machine/linux-malware/issues/779)) - Credential Access, Defense Evasion, Persistence, attack:T1556.003:Pluggable Authentication Modules, attack:T1562.012:Disable or Modify Linux Audit System, attack:T1601:Modify System Image, Linux -* https://github.com/nikhilh-20/ELFEN ([#764](https://github.com/timb-machine/linux-malware/issues/764)) - Defense Evasion, Linux -* https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace ([#570](https://github.com/timb-machine/linux-malware/issues/570)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/571, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux -* https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/ ([#268](https://github.com/timb-machine/linux-malware/issues/268)) ### Defensive techniques -* https://darrenmartyn.ie/2021/07/05/procfs-bash-tricks-and-detecting-cowrie/ ([#528](https://github.com/timb-machine/linux-malware/issues/528)) - Persistence, Defense Evasion, Linux, Device application sandboxing -* https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/ ([#39](https://github.com/timb-machine/linux-malware/issues/39)) - honeypot, Linux -* https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html ([#559](https://github.com/timb-machine/linux-malware/issues/559)) - Defense Evasion, Linux -* https://github.com/timb-machine/obscure-forensics ([#267](https://github.com/timb-machine/linux-malware/issues/267)) -* https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/ ([#38](https://github.com/timb-machine/linux-malware/issues/38)) - honeypot, Linux -* https://redcanary.com/blog/process-streams/ ([#494](https://github.com/timb-machine/linux-malware/issues/494)) - Lateral Movement, Command and Control, Exfiltration, uses:bash, uses:ksh93, attack:T1059:Command and Scripting Interpreter, attack:T1095:Non-Application Layer Protocol, Linux, Enclave deployment -* https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf ([#499](https://github.com/timb-machine/linux-malware/issues/499)) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, attack:T1574:Hijack Execution Flow, attack:T1068:Exploitation for Privilege Escalation, Linux +* https://redcanary.com/blog/ebpf-for-security/ ([#270](https://github.com/timb-machine/linux-malware/issues/270)) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading * https://github.com/rung/threat-matrix-cicd ([#10](https://github.com/timb-machine/linux-malware/issues/10)) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Lateral Movement, Exfiltration, Impact, Linux +* https://redcanary.com/blog/process-streams/ ([#494](https://github.com/timb-machine/linux-malware/issues/494)) - Lateral Movement, Command and Control, Exfiltration, uses:bash, uses:ksh93, attack:T1059:Command and Scripting Interpreter, attack:T1095:Non-Application Layer Protocol, Linux, Enclave deployment +* https://blog.virustotal.com/2023/12/sigma-rules-for-linux-and-macos_20.html ([#774](https://github.com/timb-machine/linux-malware/issues/774)) - Defense Evasion, Linux * https://www.mandiant.com/sites/default/files/2022-03/wp-linux-endpoint-hardening.pdf ([#675](https://github.com/timb-machine/linux-malware/issues/675)) - Defense Evasion, Linux -* https://blog.trailofbits.com/2021/11/09/all-your-tracing-are-belong-to-bpf/ ([#747](https://github.com/timb-machine/linux-malware/issues/747)) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux -* https://redcanary.com/blog/ebpf-for-security/ ([#270](https://github.com/timb-machine/linux-malware/issues/270)) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading -* https://github.com/cr0nx/awesome-linux-attack-forensics-purplelabs ([#712](https://github.com/timb-machine/linux-malware/issues/712)) - Defense Evasion, Linux * https://www.forensicxlab.com/posts/inodes/ ([#522](https://github.com/timb-machine/linux-malware/issues/522)) - Defense Evasion, Linux -* https://blog.trailofbits.com/2023/09/25/pitfalls-of-relying-on-ebpf-for-security-monitoring-and-some-solutions/ ([#762](https://github.com/timb-machine/linux-malware/issues/762)) - Execution, Persistence, Privilege Escalation, Defense Evasion, Linux -* https://github.com/DevinRTK/rtk-eLibrary ([#631](https://github.com/timb-machine/linux-malware/issues/631)) - Persistence, Defense Evasion, Discovery, Collection, Linux, Cloud hosted services, Internal enterprise services, Internal specialist services, Multi-cloud/Cloud-to-cloud enterprise -* https://www.youtube.com/watch?v=Zig-inHOhII ([#561](https://github.com/timb-machine/linux-malware/issues/561)) - Defense Evasion, Linux -* https://sandflysecurity.com/blog/detecting-evasive-linux-backdoors-presentation/ ([#760](https://github.com/timb-machine/linux-malware/issues/760)) - Persistence, Defense Evasion, Command and Control, Linux +* https://blog.trailofbits.com/2021/11/09/all-your-tracing-are-belong-to-bpf/ ([#747](https://github.com/timb-machine/linux-malware/issues/747)) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux * https://archive.org/details/HalLinuxForensics ([#560](https://github.com/timb-machine/linux-malware/issues/560)) - Defense Evasion, Linux +* https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html ([#559](https://github.com/timb-machine/linux-malware/issues/559)) - Defense Evasion, Linux +* https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf ([#499](https://github.com/timb-machine/linux-malware/issues/499)) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, attack:T1574:Hijack Execution Flow, attack:T1068:Exploitation for Privilege Escalation, Linux * https://blog.trailofbits.com/2023/08/09/use-our-suite-of-ebpf-libraries/ ([#736](https://github.com/timb-machine/linux-malware/issues/736)) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux +* https://blog.trailofbits.com/2023/09/25/pitfalls-of-relying-on-ebpf-for-security-monitoring-and-some-solutions/ ([#762](https://github.com/timb-machine/linux-malware/issues/762)) - Execution, Persistence, Privilege Escalation, Defense Evasion, Linux +* https://github.com/cr0nx/awesome-linux-attack-forensics-purplelabs ([#712](https://github.com/timb-machine/linux-malware/issues/712)) - Defense Evasion, Linux +* https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/ ([#39](https://github.com/timb-machine/linux-malware/issues/39)) - honeypot, Linux +* https://www.youtube.com/watch?v=Zig-inHOhII ([#561](https://github.com/timb-machine/linux-malware/issues/561)) - Defense Evasion, Linux +* https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ ([#719](https://github.com/timb-machine/linux-malware/issues/719)) - Execution, Persistence, Privilege Escalation, Defense Evasion, attack:T1574:Hijack Execution Flow, attack:T1204:User Execution, attack:T1218:System Binary Proxy Execution, attack:T1036.003:Rename System Utilities, Linux, AIX, Solaris, HP-UX * https://twitter.com/CraigHRowland/status/1593102427276050433 ([#587](https://github.com/timb-machine/linux-malware/issues/587)) - Persistence, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, Linux * https://blog.aquasec.com/detecting-ebpf-malware-with-tracee ([#745](https://github.com/timb-machine/linux-malware/issues/745)) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux -* https://blog.virustotal.com/2023/12/sigma-rules-for-linux-and-macos_20.html ([#774](https://github.com/timb-machine/linux-malware/issues/774)) - Defense Evasion, Linux -* https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ ([#719](https://github.com/timb-machine/linux-malware/issues/719)) - Execution, Persistence, Privilege Escalation, Defense Evasion, attack:T1574:Hijack Execution Flow, attack:T1204:User Execution, attack:T1218:System Binary Proxy Execution, attack:T1036.003:Rename System Utilities, Linux, AIX, Solaris, HP-UX * https://github.com/archcloudlabs/BSidesRoc2022_Linux_Malware_Analysis_Course ([#264](https://github.com/timb-machine/linux-malware/issues/264)) +* https://sandflysecurity.com/blog/detecting-evasive-linux-backdoors-presentation/ ([#760](https://github.com/timb-machine/linux-malware/issues/760)) - Persistence, Defense Evasion, Command and Control, Linux +* https://darrenmartyn.ie/2021/07/05/procfs-bash-tricks-and-detecting-cowrie/ ([#528](https://github.com/timb-machine/linux-malware/issues/528)) - Persistence, Defense Evasion, Linux, Device application sandboxing +* https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/ ([#38](https://github.com/timb-machine/linux-malware/issues/38)) - honeypot, Linux +* https://github.com/timb-machine/obscure-forensics ([#267](https://github.com/timb-machine/linux-malware/issues/267)) * https://github.com/anelshaer/Remote-Linux-Triage-Collection-using-OSquery ([#529](https://github.com/timb-machine/linux-malware/issues/529)) - Linux +* https://github.com/DevinRTK/rtk-eLibrary ([#631](https://github.com/timb-machine/linux-malware/issues/631)) - Persistence, Defense Evasion, Discovery, Collection, Linux, Cloud hosted services, Internal enterprise services, Internal specialist services, Multi-cloud/Cloud-to-cloud enterprise ### Defensive Yara #### Personal rules -* canvasspectre.yara ([#284](https://github.com/timb-machine/linux-malware/issues/284)) - Hunts for CANVAS Spectre -* luckscan.yara ([#286](https://github.com/timb-machine/linux-malware/issues/286)) - Hunts for references to luckscan -* ciscotools.yara ([#279](https://github.com/timb-machine/linux-malware/issues/279)) - Hunts for references to our tools -* aix.yara ([#280](https://github.com/timb-machine/linux-malware/issues/280)) - Hunts for AIX binaries * enterpriseapps2.yara ([#283](https://github.com/timb-machine/linux-malware/issues/283)) - Hunts for enterprise app binaries +* unixredflags3.yara ([#285](https://github.com/timb-machine/linux-malware/issues/285)) - Hunts for UNIX red flags +* aix.yara ([#280](https://github.com/timb-machine/linux-malware/issues/280)) - Hunts for AIX binaries +* ciscotools.yara ([#279](https://github.com/timb-machine/linux-malware/issues/279)) - Hunts for references to our tools +* luckscan.yara ([#286](https://github.com/timb-machine/linux-malware/issues/286)) - Hunts for references to luckscan +* canvasspectre.yara ([#284](https://github.com/timb-machine/linux-malware/issues/284)) - Hunts for CANVAS Spectre * enterpriseunix2.yara ([#282](https://github.com/timb-machine/linux-malware/issues/282)) - Hunts for enterprise UNIX binaries -* adonunix2.yara ([#281](https://github.com/timb-machine/linux-malware/issues/281)) - Hunts for binaries that attack AD on UNIX * pscan.yara ([#287](https://github.com/timb-machine/linux-malware/issues/287)) - Hunts for references to pscan -* unixredflags3.yara ([#285](https://github.com/timb-machine/linux-malware/issues/285)) - Hunts for UNIX red flags +* adonunix2.yara ([#281](https://github.com/timb-machine/linux-malware/issues/281)) - Hunts for binaries that attack AD on UNIX #### Other rules -* https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar ([#419](https://github.com/timb-machine/linux-malware/issues/419)) - attack:T1205.002:Socket Filters, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/418, DecisiveArchitect, Linux * https://github.com/Yara-Rules/rules ([#288](https://github.com/timb-machine/linux-malware/issues/288)) +* https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar ([#419](https://github.com/timb-machine/linux-malware/issues/419)) - attack:T1205.002:Socket Filters, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/418, DecisiveArchitect, Linux