Researchers have uncovered a new sophisticated and modular malware framework designed to operate stealthily inside Linux systems and containers. The framework seems to have been designed by Chinese developers with in-depth knowledge of Linux internals and was created to be used against cloud servers.
“The framework, internally referred to by its original developers as VoidLink, is a cloud-first implant written in Zig and designed to operate in modern infrastructure,” researchers from security firm Check Point said in their report. “It can recognize major cloud environments and detect when it is running inside Kubernetes or Docker, then tailor its behavior accordingly.”
Check Point only found samples of the malware that appear to be an in-progress project rather than a completed product. However, the project is mature, and the company’s researchers suspect it won’t be long before the malware is used in real-world attacks, possibly for cyberespionage or supply-chain compromises because it harvests credentials for cloud environments and source code repository management systems.
Highly extensible and customizable
VoidLink draws inspiration from the beacon implant of Cobalt Strike, an adversary simulation framework that has been widely adopted and misused by attackers over the years. The malware uses an API to communicate with additional plug-ins that add a diverse set of capabilities.
By default, the platform comes with 37 plug-ins that can be selected and delivered to the victim to enable additional capabilities. However, the operator can also deliver custom plug-ins. This is controlled through a professional-looking web-based command-and-control (C2) dashboard.
“This interface is localized for Chinese-affiliated operators, but the navigation follows a familiar C2 layout: a left sidebar groups pages into Dashboard, Attack, and Infrastructure,” the researchers said. “The Dashboard section covers the core operator loop (agent manager, built-in terminal, and an implant builder). In contrast, the Attack section organizes post-exploitation activity such as reconnaissance, credential access, persistence, lateral movement, process injection, stealth, and evidence wiping.”
The malware framework is written in Zig, a relatively new programming language that’s an alternative to C and is an unusual choice for malware development. However, the developers have also shown proficiency in other languages such as Go, C, and JavaScript frameworks such as React.
The researchers note that VoidLink is much more advanced that typical Linux malware, with a well-designed core component handling state, communication and task execution that is delivered through a two-stage loader. Operators can deliver additional code to be executed in the form of plug-ins.
Cloud reconnaissance and adaptability
The malware was designed to detect whether it’s being executed on various cloud platforms such as AWS, GCP, Azure, Alibaba, and Tencent and then to start leveraging those vendors’ management APIs. The code suggests the developers plan to add detections for Huawei, DigitalOcean, and Vultr in the future.
The malware collects extensive amounts of information about the machine and environment it runs in, including whether it’s a Docker container or a Kubernetes pod. It then can execute post-exploitation modules that attempt privilege escalation through container escapes or lateral movement to other containers.
“Ultimately, the goal of this implant appears to be stealthy, long-term access, surveillance, and data collection,” the researchers said, adding that developers might be a target for initial delivery.
Another interesting aspect is that the malware has a sophisticated algorithm through which it adapts its operations based on the security posture of the environment. It will scan for common Linux endpoint and detection response (EDR) tools and kernel hardening technologies and then calculate a risk score for the environment, which is then used to select a detection evasion strategy.
The malware also has multiple rootkit components with deployment strategies for different versions of the Linux kernel and will deploy them based on the environment in which it runs. These rootkit modules hide the malware’s processes, files, and network sockets.
C2 traffic is hidden in multiple ways, including as encrypted data in PNGs or JS, HTML, or CSS files, making it hard to detect at the network layer.
“VoidLink aims to automate evasion as much as possible, profiling an environment and choosing the most suitable strategy to operate in it,” the researchers said. “Augmented by kernel mode tradecraft and a vast plugin ecosystem, VoidLink enables its operators to move through cloud environments and container ecosystems with adaptive stealth.”
While malware for Linux is less common and often less sophisticated than malware programs for Windows, VoidLink stands out as a unique and highly capable framework. Even if it’s not totally clear whether this malware is intended to be a product for cybercriminals or as future commercial penetration testing framework of sorts, it serves as an example of the type of threats organizations should be prepared to defend in their Linux-based cloud environments.
No Responses