Keypoints
- Linodas is a distinct Linux branch of DinodasRAT (v11) with Linux-specific development and separate internal versioning.
- The implant achieves persistence via multiple methods (systemd/rc.local on Ubuntu, init.d and rc.local on Red Hat distributions) and re-executes itself as a daemon.
- Configuration is read from /etc/.netsc.conf; if missing, a unique bot ID is generated from MAC, dmidecode output, md5, random number, and timestamp.
- The backdoor spawns monitoring and helper threads for logged-in user checks, C2 connection health, module download/install, user-activity logging, and reverse-shell cleanup.
- Linodas communicates with hardcoded C2(s) (e.g., update.microsoft-setting[.]com:443) over TCP or UDP, sends periodic heartbeats, and supports numerous remote commands including file operations, reverse shells, and module management.
- Version v11 adds a filter module (ntfsys.so6) that replaces system binaries, proxies their execution, and filters output to hide IPs, usernames, or process names from system utilities.
MITRE Techniques
- [T1059.004] Command and Scripting Interpreter – Uses Unix shell commands for file manipulation, process execution, and enumeration (‘uses Unix shell commands for various operations, including file manipulation, process execution, and system enumeration.’)
- [T1543.003] Create or Modify System Process: Systemd Service – Modifies/creates systemd rc.local service to achieve persistence on Ubuntu (‘writes … /lib/systemd/system/rc.local.service’ and ‘adds … /etc/rc.local’)
- [T1569.002] System Services: Service Execution – Installs init.d scripts and uses chkconfig to register as a service on Red Hat systems (‘writes … /etc/init.d/[SELF_FILE_NAME]’ and runs ‘chkconfig –add’)
- [T1070.004] Indicator Removal on Host – Alters file timestamps to blend malware artifacts with legitimate files (‘touch -d “2010-09-08 12:23:02” [SELF_FILE_PATH]’)
- [T1105] Ingress Tool Transfer – Downloads additional modules and saves them on disk (e.g., ntfsys.so6) from C2 for later execution (‘save a newly received file with the same name’)
- [T1574.006] Hijack Execution Flow: Dynamic Linker Hijacking – Replaces system binaries with a filter module to proxy execution and modify output (‘substituted certain binaries in the system with the filter module’ and ‘module starts every time the system tries to use the replaced binary’)
- [T1041] Exfiltration Over C2 Channel – Sends collected user-activity logs and files back to C2 and maintains heartbeat/communication channels (‘logs and sent to the C2 server’ and ‘heartbeat’ content)
- [T1071.001] Application Layer Protocol: Web Protocols – Uses HTTPS-style C2 domain/port for covert communication (e.g., ‘update.microsoft-setting[.]com:443’)
- [T1562.001] Impair Defenses: Disable or Modify Tools – Filters outputs of monitoring utilities (who, netstat, ps) via the filter module to hide artifacts (‘the module … filters any values … from various information-gathering binaries such as who, netstat, ps’)
- [T1056.001] Input Capture: Keylogging (suggested) – Capability to monitor logged-in users and capture activity suggests potential input capture/credential collection (‘collecting user activity through various files such as: /var/run/utmp /var/log/wtmp /var/log/lastlog’)
Indicators of Compromise
- [SHA256] Sample hashes – ebdf3d3e0867b29e66d8b7570be4e6619c64fae7e1fbd052be387f736c980c8e, 6302acdfce30cec5e9167ff7905800a6220c7dda495c0aae1f4594c7263a29b2, and 5 more hashes
- [Domain] C2 server – update.microsoft-setting[.]com (C2 hostname used in latest v11 samples)
- [File path] Configuration and marker files – /etc/.netsc.conf (primary config storing ‘imei’ bot id), /usr/lib/libsysattr.so (instructions file) and /usr/lib/libsysattr.a
- [Filename] Deployed module/binary names – ntfsys (executable name used to masquerade as NTFS-related file), ntfsys.so6 (filter module)
On execution Linodas checks for a daemon invocation and, if absent, re-executes itself with arguments to run as a background daemon. It achieves persistence via multiple Linux-specific methods: on Ubuntu it creates or enables an rc.local systemd service and writes an /etc/rc.local wrapper; on Red Hat variants it installs an init.d script and uses chkconfig, and it can also append itself to /etc/rc.d/rc.local. The implant sets file timestamps to blend with legitimate files and stores configuration in /etc/.netsc.conf, generating a unique bot ID by combining MAC, dmidecode output, md5, a random number, and a timestamp when an imei value is absent.
The main implant performs system enumeration, reads mode/checkroot flags from its config, resolves and connects to hardcoded C2(s) (example: update.microsoft-setting[.]com:443) over TCP or UDP, and spawns threads for (1) monitoring logged-in users and closing C2 if non-local sessions exist, (2) C2 connection health and reconnection, (3) filter-module download and deployment, (4) user-activity logging and exfiltration, and (5) cleaning stale reverse-shell sessions. It sends recurring heartbeats containing distribution, architecture, privilege marker, constants, UDP packet length, and its self-path, and supports a broad set of C2 commands for file ops, process/service control, reverse shells, module execution, config updates, and read/write of local files and logs.
v11 introduces a filter module (ntfsys.so6) that is deployed to replace selected system binaries. The module proxies execution of the original binaries (backed up as [binary].a), executes them while capturing stdout/stderr, and filters output lines that match configured IPs or names (stored in /usr/lib/libsysattr.a), thereby hiding network and process artifacts from utilities like who, netstat, and ps. This mechanism acts as a lightweight rootkit to conceal reverse shells, logged-in sessions, and other traces while enabling remote operators to maintain stealthy presence and pivot from compromised Linux hosts.
Read more: https://research.checkpoint.com/2024/29676/