Threat Research

“Detection of Linux Defense Evasion Techniques by AhnLab EDR”

Ahnlab

The article discusses Linux defense evasion techniques detected by AhnLab EDR, highlighting methods like auto-deletion of running malware and log/file removal to hide activities. It explains how AhnLab EDR identifies these behaviors for proactive detection and incident analysis, with examples including NoodRAT, Gh0stRAT, BlueShell, Kinsing, Team TNT, and RedXOR. #NoodRAT #Gh0stRAT #BlueShell #Kinsing #TeamTNT #RedXOR

Keypoints

  • Linux defense-evasion techniques include auto-deletion of malware after execution to run only in memory and evade file detection (examples: NoodRAT, Gh0stRAT, BlueShell).
  • Threat actors delete log files (e.g., Syslog) and user command histories (e.g., Bash history) to conceal activities (examples: Kinsing, Team TNT).
  • Suspicious privilege granting during installation, such as making certain scripts executable or elevated, is observed (example: RedXOR grants 777 on a startup script).
  • AhnLab EDR detects these defense-evasion behaviors and provides visibility, analysis, and proactive threat hunting for Linux endpoints.
  • The article emphasizes the need for defenders to rely on behavioral detection and evidentiary data for post-incident investigations.
  • References to related ASEC posts and the MITRE ATT&CK mapping illustrate how the techniques align with known TTPs.

MITRE Techniques

  • [T1070.001] Indicator Removal on Host: File Deletion – Deleting logs such as Syslog to erase evidence of commands executed or activities performed by malware. ‘Deleting logs such as Syslog to conceal the commands or behaviors they executed.’
  • [T1070.003] Indicator Removal on Host: Clear Bash History – Deleting the .bash_history file to hide command execution history from shell sessions. ‘The .bash_history file which contains the commands that the user entered in shells such as Bash may also be deleted by the threat actor.’
  • [T1222] File and Directory Permissions Modification – Granting elevated permissions (777) to a startup script and registering it to run after reboot. ‘It grants the 777 privilege to the “/etc/init.d/po1kitd-update” script which is in charge of the aforementioned process.’
  • [T1071.001] Application Layer Protocol: Application Layer Protocol – Malware like RedXOR communicates with a C&C server to receive commands. ‘In the context of malware like RedXOR that communicates with a C&C server, this technique involves using application layer protocols to receive commands.’
  • [T1203] Exploit Public-Facing Application – Exploiting vulnerabilities in poorly managed Docker containers or servers (e.g., Kinsing). ‘exploits vulnerabilities in poorly managed Docker containers or servers.’
  • [T1071.003] Application Layer Protocol: Custom Protocol – Custom protocols might be used for C2 communications by malware such as RedXOR. ‘Custom protocols might be used for command and control communications by malware such as RedXOR.’
  • [T1040] Network Sniffing – Not directly mentioned in the article, but related to some methods of privilege escalation and malware operation. ‘Not directly mentioned in the article, but related to some methods of privilege escalation and malware operation.’

Indicators of Compromise

  • [Malware] context – NoodRAT, Gh0stRAT, BlueShell, Kinsing, Team TNT, RedXOR
  • [File] context – /var/log/syslog, .bash_history
  • [File] context – /root/.po1kitd.thumb/.po1kitd-update-k, /etc/init.d/po1kitd-update

Read more: https://asec.ahnlab.com/en

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint