Security News > 2020 > August > Black Hat 2020: Linux Spyware Stack Ties Together 5 Chinese APTs

A stack of Linux backdoor malware used for espionage, compiled dynamically and customizable to specific targets, is being used as a shared resource by five different Chinese-language APT groups, according to researchers.

Finally, the sixth item is the Linux XOR DDoS botnet, which is the largest known Linux botnet, first coming to notice in 2015.

As far as C2 activity, Livelli said that BlackBerry observed hard-coded network callback data inside the attacked organization it investigated, which suggests that the group had already established infrastructure inside the target before deploying the Linux stack.

"How often does the word 'Linux' enter their conversations. Second, for those of us who've had the opportunity to work for vendors, how [deep] are the offerings for Linux compared to the offerings for Mac and Windows. I'm willing to wager that in general, security industry support of the myriad Linux distro and kernel combinations out there pales in comparison to the support given to Windows. It's just economics, you supply the engineering and marketing and sales effort behind the platform that creates the most demand."

According to Livelli, "Linux malware in the hands of government-backed groups has been written about before - Kaspersky Lab has documented its use by the Russian Turla and American Equation Group, and among the Chinese groups we've seen Linux malware research on Deep Panda and APT41 our colleagues at Chronicle. The point here is that we should be watching for this kind of thing."

News URL

https://threatpost.com/black-hat-linux-spyware-stack-chinese-apts/158092/