Skip to content
NEW KID ON THE BLOCK

Never-before-seen Linux malware is “far more advanced than typical”

VoidLink includes an unusually broad and advanced array of capabilities.

Dan Goodin | 48
Credit: Getty Images
Credit: Getty Images
Story text

Researchers have discovered a never-before-seen framework that infects Linux machines with a wide assortment of modules that are notable for the range of advanced capabilities they provide to attackers.

The framework, referred to as VoidLink by its source code, features more than 30 modules that can be used to customize capabilities to meet attackers’ needs for each infected machine. These modules can provide additional stealth and specific tools for reconnaissance, privilege escalation, and lateral movement inside a compromised network. The components can be easily added or removed as objectives change over the course of a campaign.

A focus on Linux inside the cloud

VoidLink can target machines within popular cloud services by detecting if an infected machine is hosted inside AWS, GCP, Azure, Alibaba, and Tencent, and there are indications that developers plan to add detections for Huawei, DigitalOcean, and Vultr in future releases. To detect which cloud service hosts the machine, VoidLink examines metadata using the respective vendor’s API.

Similar frameworks targeting Windows servers have flourished for years. They are less common on Linux machines. The feature set is unusually broad and is “far more advanced than typical Linux malware,” said researchers from Check Point, the security firm that discovered VoidLink. Its creation may indicate that the attacker’s focus is increasingly expanding to include Linux systems, cloud infrastructure, and application deployment environments, as organizations increasingly move workloads to these environments.

“VoidLink is a comprehensive ecosystem designed to maintain long-term, stealthy access to compromised Linux systems, particularly those running on public cloud platforms and in containerized environments,” the researchers said in a separate post. “Its design reflects a level of planning and investment typically associated with professional threat actors rather than opportunistic attackers, raising the stakes for defenders who may never realize their infrastructure has been quietly taken over.”

The VoidLink interface is localized for Chinese-affiliated operators, an indication that it likely originates from a Chinese-affiliated development environment. Symbols and comments within the source code suggest that VoidLink remains under development. Another sign the framework is not yet completed: Check Point found no signs it has infected any machines in the wild. Company researchers discovered it last month in a series of clusters of Linux malware available through VirusTotal.

Included in the batch of binaries was a two-stage loader. The final implant includes core modules embedded that can be augmented by plugins that are downloaded and installed at runtime. The capabilities of the 37 modules discovered so far include:

  • Cloud-first tradecraft. In addition to cloud detection, these modules collect “vast amounts of information about the infected machine, enumerating its hypervisor and detecting whether it is running in a Docker container or a Kubernetes pod.”
  • Plugin development APIs. VoidLink offers an “extensive development API” that’s set up during the malware’s initialization.
  • Adaptive stealth. VoidLink enumerates installed security products and hardening measures.
  • Rootkit functions that allow VoidLink to blend in with normal system activity.
  • Command and control implemented through what appear to be legitimate outward network connections.
  • Anti-analysis by employing anti-debugging techniques and integrity checks to identify common analysis tools.
  • A plugin system that allows VoidLink to evolve from an implant to a “fully featured post-exploitation framework.”
  • Recon that provides “detailed system and environment profiling, user and group enumeration, process and service discovery, filesystem and mount mapping, and mapping of local network topology and interfaces.”
  • Credential harvesting of SSH keys, passwords, and cookies stored by browsers, git credentials, authentication tokens, API keys, and items stored in the system keyring.

With no indication that VoidLink is actively targeting machines, there’s no immediate action required by defenders, although they can obtain indicators of compromise from the Check Point blog post. VoidLink still indicates defenders should apply vigilance when working with Linux machines.

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
48 Comments
Staff Picks
VividVerism
VividVerism
Does anyone understand how this would have been contributed to Virus Total?

If it hasn’t been deployed yet then how would someone have binaries to contribute?

The only idea I can come up with is another hacker getting access to what the Chinese group was working on and sharing it to spoil their efforts proactively.

Or someone has someone else on the inside to do this.


if it's not infecting things in the wild, how did it end up on VirusTotal? I very much doubt the developers would have uploaded it themselves, so it probably was uploaded by someone who got infected, suggesting it is being installed in the wild.

Something malware developers sometimes like to do is to obfuscate their code and then submit their own malware to VirusTotal to test the obfuscation. If any scanners detect their malware as such despite the obfuscation, they iterate and try again until the scan comes back clean.

Which leads to the obvious implication:

This isn't even its final form!
Prev story
Next story