Skip to main content

New Linux malware family evades antivirus detection

An abstract image of padlocks overlaying a digital background.
(Image credit: Shutterstock)

Cybersecurity researchers have uncovered severalmalicious Linux binaries that have successfully managed to sneak past most antivirus products.

Upon closer inspection, the researchers at AT&T Alien Labs identified these binaries as modified versions of the open source Prism backdoor that has been used in multiple campaigns earlier.

“We have conducted further investigation of the samples and discovered that several campaigns using these malicious executables have managed to remain active and under the radar for more than 3.5 years. The oldest samples Alien Labs can attribute to one of the actors date from the 8th of November, 2017,” note the researchers.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

Calling Prism a “simplistic and straightforward” backdoor that’s easy to detect, the researchers note that the fact the modified binaries have managed to evade detection for several years is perhaps a result of the security infrastructure focussing its efforts on bigger campaigns, allowing smaller ones to slip through the gaps.

Under the radar

One of the variants analyzed by the researchers, named WaterDrop, is easily identifiable, but still manages to maintain a near-zero detection score in the VirusTotal database. Moreover, WaterDrop communications with its command and control (C2) server over plain-text HTTP.

Tracking the evolution of the malware, the researchers note that many use the same C2 server. While the earlier variants of the malware don’t implement any of the common mechanisms malware authors use to avoid being flagged, such as obfuscation, and encryption, the newer variants do, along with a few other modifications.

The researchers reason that these backdoors fly under the radar since they are usually used in smaller campaigns.

“Alien Labs expects the adversaries to remain active and conduct operations with this toolset and infrastructure. We will continue to monitor and report any noteworthy findings,” conclude the researchers.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.