Cybercriminals Target Linux-based Systems With Ransomware and Cryptojacking Attacks


PALO ALTO, Calif.–()–As the commonest cloud working system, Linux is a core a part of digital infrastructure and is shortly turning into an attacker’s ticket right into a multi-cloud setting. Present malware countermeasures are largely targeted on addressing Home windows-based threats, leaving many private and non-private cloud deployments weak to assaults that focus on Linux-based workloads.

At present, VMware, Inc. (NYSE: VMW) released a risk report titled “Exposing Malware in Linux-based Multi-Cloud Environments.”(1) Key findings that element how cybercriminals are utilizing malware to focus on Linux-based working techniques embody:

  • Ransomware is evolving to focus on Linux host photographs used to spin workloads in virtualized environments;
  • 89 p.c of cryptojacking assaults use XMRig-related libraries; and
  • Greater than half of Cobalt Strike customers could also be cybercriminals, or no less than utilizing Cobalt Strike illicitly.

“Cybercriminals are dramatically increasing their scope and including malware that targets Linux-based working techniques to their assault toolkit with a purpose to maximize their affect with as little effort as attainable,” mentioned Giovanni Vigna, senior director of risk intelligence at VMware. “Slightly than infecting an endpoint after which navigating to a better worth goal, cybercriminals have found that compromising a single server can ship the huge payoff and entry they’re on the lookout for. Attackers view each private and non-private clouds as high-value targets because of the entry they supply to essential infrastructure companies and confidential information. Sadly, present malware countermeasures are largely targeted on addressing Home windows-based threats, leaving many private and non-private cloud deployments weak to assaults on Linux-based working techniques.”

As malware concentrating on Linux-based working techniques will increase in each quantity and complexity amid a quickly altering risk panorama, organizations should place a larger precedence on risk detection. On this report, the VMware Menace Evaluation Unit (TAU) analyzed the threats to Linux-based working techniques in multi-cloud environments: ransomware, cryptominers, and distant entry instruments.

Ransomware Targets the Cloud to Inflict Most Injury

As one of many leading breach causes for organizations, a profitable ransomware assault on a cloud setting can have devastating penalties.(2) Ransomware assaults towards cloud deployments are focused, and are sometimes mixed with information exfiltration, implementing a double-extortion scheme that improves the chances of success. A brand new growth exhibits that ransomware is evolving to focus on Linux host photographs used to spin workloads in virtualized environments. Attackers are actually on the lookout for essentially the most priceless belongings in cloud environments to inflict the utmost quantity of harm to the goal. Examples embody the Defray777 ransomware household, which encrypted host photographs on ESXi servers, and the DarkSide ransomware household, which crippled Colonial Pipeline’s networks and induced a nationwide gasoline scarcity within the U.S.

Cryptojacking Assaults Use XMRig to Mine Monero

Cybercriminals on the lookout for an prompt financial reward typically goal cryptocurrencies utilizing certainly one of two approaches. Cybercriminals both embody wallet-stealing performance in malware or they monetize stolen CPU cycles to efficiently mine cryptocurrencies in an assault referred to as cryptojacking. Most cryptojacking assaults concentrate on mining the Monero foreign money (or XMR) and VMware TAU found that 89 p.c of cryptominers used XMRig-related libraries. For that reason, when XMRig-specific libraries and modules in Linux binaries are recognized, it’s doubtless proof of malicious cryptomining conduct. VMware TAU additionally noticed that protection evasion is essentially the most generally used approach by cryptominers. Sadly, as a result of cryptojacking assaults don’t utterly disrupt the operations of cloud environments like ransomware, they’re much harder to detect.

Cobalt Strike Is Attackers’ Distant Entry Software of Selection

With a purpose to achieve management and persist inside an setting, attackers look to put in an implant on a compromised system that provides them partial management of the machine. Malware, webshells, and Distant Entry Instruments (RATs) can all be implants utilized by attackers in a compromised system to permit for distant entry. One of many major implants utilized by attackers is Cobalt Strike, a industrial penetration testing and crimson workforce instrument, and its current variant of Linux-based Vermilion Strike. Since Cobalt Strike is such a ubiquitous risk on Home windows, the growth out to the Linux-based working system demonstrates the will of risk actors to make use of available instruments that focus on as many platforms as attainable.

VMware TAU found greater than 14,000 energetic Cobalt Strike Crew Servers on the Web between February 2020 and November 2021. The entire proportion of cracked and leaked Cobalt Strike buyer IDs is 56 p.c, that means that greater than half of Cobalt Strike customers could also be cybercriminals, or no less than utilizing Cobalt Strike illicitly. The truth that RATs like Cobalt Strike and Vermilion Strike have turn into a commodity instrument for cybercriminals poses a big risk to enterprises.

“Since we carried out our evaluation, much more ransomware households have been noticed gravitating to malware concentrating on Linux-based techniques, with the potential for extra assaults that would leverage the Log4j vulnerabilities,” mentioned Brian Baskin, supervisor of risk analysis at VMware. “The findings on this report can be utilized to raised perceive the character of this malware and mitigate the rising risk that ransomware, cryptomining, and RATs have on multi-cloud environments. As assaults concentrating on the cloud proceed to evolve, organizations ought to undertake a Zero Belief method to embed safety all through their infrastructure and systematically handle the risk vectors that make up their assault floor.”

Obtain the complete report here.


The VMware Menace Evaluation Unit (TAU) helps shield prospects from cyberattacks via innovation and world-class analysis. TAU consists of malware analysts, reverse engineers, risk hunters, information scientists, and intelligence analysts at VMware. To grasp learn how to detect and forestall assaults that bypass conventional, file-centric, prevention methods, TAU focuses on strategies that have been as soon as the area of superior hackers and are actually shifting downstream into the commodity assault market. The workforce leverages real-time massive information, occasion streaming processing, static, dynamic and behavioral analytics, and machine studying.

TAU utilized a composition of static and dynamic strategies to characterize varied households of malware noticed on Linux-based techniques primarily based on a curated dataset of metadata related to Linux binaries. All of the samples on this dataset are public and due to this fact they are often simply accessed utilizing VirusTotal or varied web sites of main Linux distributions. TAU collected greater than 11,000 benign samples from a number of Linux distributions, specifically, Ubuntu, Debian, Mint, Fedora, CentOS, and Kali. TAU then collected a dataset of samples for 2 courses of threats, specifically ransomware and cryptominers. Lastly, TAU collected a dataset of malicious ELF binaries from VirusTotal that have been used as a take a look at malicious dataset. TAU began accumulating the dataset in June 2021 and concluded in November 2021.

About VMware

VMware is a number one supplier of multi-cloud companies for all apps, enabling digital innovation with enterprise management. As a trusted basis to speed up innovation, VMware software program provides companies the pliability and selection they should construct the long run. Headquartered in Palo Alto, California, VMware is dedicated to constructing a greater future via the corporate’s 2030 Agenda. For extra info, please go to

Sources & Citations

  1. Exposing Malware in Linux-Primarily based Multi-Cloud Environments, VMware, February 2022
  2. International Safety Insights Report, VMware, June 2021


Leave a Reply