Emotet malware goes Linux

Important informations about SolydXK including releases notes, forum rules and other anouncements
User avatar
ilu
Posts: 2711
Joined: 09 Oct 2013 12:45

Emotet malware goes Linux

Postby ilu » 02 Aug 2020 14:34

No need to panic but I think a warning is in order. Don't feel too safe when dealing with mail attachments and shady websites:
https://medium.com/stage-2-security/anc ... 07ba13ca30

kurotsugi
Posts: 2274
Joined: 09 Jan 2014 00:17

Re: Emotet malware goes Linux

Postby kurotsugi » 03 Aug 2020 06:28

there's no explanation on what being exploited nor how it got exploited. based on the explanation it might either use file manager, browser, or zip files manager. should we assume DoH nor DoT doesn't help in this case?

User avatar
ilu
Posts: 2711
Joined: 09 Oct 2013 12:45

Re: Emotet malware goes Linux

Postby ilu » 03 Aug 2020 10:43

You mean how the system gets infected?

The author describes just a dropper and a backdoor. Another source talks about harvested ssh keys - probably from infected windows systems. So it seems that no exploit usage has been detected yet. I just want people to be aware that a big player in the malware scene starts targeting Linux.

I don't think we'll see expolit usage soon. But a hostile takeover of a popular repository/ppa/snap/nodejs/pip package would be an easy way of spreading a backdoor. It has happened before and there's a reason github starts to force its users away from password authentication. Also in another forum somebody complained about software not working and even went so far as to do "sudo random-software-downloaded-from-somewhere". If you get people to do that ... you don't need exploits.

As a first step the Trickbot team might intend to target routers. Since a lot of routers never get updates they are easy targets with complete access to the network they govern.

kurotsugi
Posts: 2274
Joined: 09 Jan 2014 00:17

Re: Emotet malware goes Linux

Postby kurotsugi » 03 Aug 2020 15:12

the article explain what it does _after_ it got installed. It certainly dangerous _after_ it got installed. However, as we can see, as long as it doesn't get installed, we are completely safe. It said that the malware comes as *.zip file so it should use a security holes on something somewhere.

as we know, a malware usually contain two part. one part exploit a hole and install the malware into the system while the other one is the "engine", the real malware which did all those nasty stuff. the exploit could be different (they need to frequently change it since we regularly fix the holes). But the engine could be same.

IMO it's more relevant for us to find what security holes used to install the malware and how to protect us because those malwares can't do anything if it doesn't get installed. OTOH, the article mostly discuss how the malware works. It's usefull if you're a security researcher/engineer, but for end user point like us, I think it doesn't help much.

That being said, I think linux becomes a target is certainly a valid point. The kernel itself, when we count android, is currently the biggest one. When we consider the technology above it, an attack to certain stuff on linux could be used to bsd, lot of other unix family or even mac


Return to “News & Anouncements”

Who is online

Users browsing this forum: No registered users and 2 guests