New Linux malware family evades antivirus detection

Some have been active for over three years

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurityresearchers have uncovered severalmaliciousLinuxbinaries that have successfully managed to sneak past mostantivirusproducts.

Upon closer inspection, the researchers at AT&T Alien Labs identified these binaries as modified versions of theopen sourcePrism backdoor that has been used in multiple campaigns earlier.

“We have conducted further investigation of the samples and discovered that several campaigns using these malicious executables have managed to remain active and under the radar for more than 3.5 years. The oldest samples Alien Labs can attribute to one of the actors date from the 8th of November, 2017,”note the researchers.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

Calling Prism a “simplistic and straightforward” backdoor that’s easy to detect, the researchers note that the fact the modified binaries have managed to evade detection for several years is perhaps a result of the security infrastructure focussing its efforts on bigger campaigns, allowing smaller ones to slip through the gaps.

Under the radar

One of the variants analyzed by the researchers, named WaterDrop, is easily identifiable, but still manages to maintain a near-zero detection score in the VirusTotal database. Moreover, WaterDrop communications with its command and control (C2) server over plain-text HTTP.

Tracking the evolution of themalware, the researchers note that many use the same C2 server. While the earlier variants of the malware don’t implement any of the common mechanisms malware authors use to avoid being flagged, such as obfuscation, and encryption, the newer variants do, along with a few other modifications.

The researchers reason that these backdoors fly under the radar since they are usually used in smaller campaigns.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“Alien Labs expects the adversaries to remain active and conduct operations with this toolset and infrastructure. We will continue to monitor and report any noteworthy findings,” conclude the researchers.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

This super-cheap HP Victus 15 gaming laptop just dropped to its lowest price yet