How and Why Threat Hunting Teams Investigate Linux Malware Attacks

How and Why Threat Hunting Teams Investigate Linux Malware Attacks

Linux cyber threats are less widespread than Windows ones yet it can make them even more dangerous. Underestimated and under-anticipated, they stab endpoints and networks in the back, bringing operational disruption and financial loss.

It’s true that individual desktop users are less targeted by Linux-specific malware, than that tailored for Windows systems.

Although they still are. But it’s much more productive to target Linux-powered servers, which puts at risk corporate infrastructure, threatens whole industries and supply chains.

Google News

Discovering Linux Malware via Threat Intelligence

This makes it particularly important for companies to use proper tools for proactive security like ANY.RUN’s Threat Intelligence Lookup and Interactive Sandbox.

How and Why Threat Hunting Teams Investigate Linux Malware Attacks
Threat Intelligence Lookup start page: click search bar and see query parameters

TI Lookup allows you to search across threat data extracted from the latest malware and phishing samples analyzed by over 500,000 professionals and 15,000 companies around the globe in ANY.RUN’s Interactive Sandbox.

It is one of the best tools for researching attacks and incidents. A huge searchable repository of IOCs, IOAs, and IOBs that you can explore contains enough fresh data on Windows and Linux malware and campaigns.

This data can be used for setting up monitoring and detection systems, as well as for threat landscape analysis, tracking evolving malware, and preventing trouble on a strategic level. 

Start investigating threats that target your infrastructure with 50 trial requests to TI Lookup: contact ANY.RUN.

Identification: IOC as a Key

A suspicious IP can be enough to identify malicious activity, and this is how it works. Let’s check a new detected address in the network via TI Lookup:

destinationIP:”176.65.144.253″

How and Why Threat Hunting Teams Investigate Linux Malware Attacks
Search by IP results expose a botnet

What do we see in the search results? 

  1. The IP was flagged as malicious and is a part of Moonbot — a variant of Mirai, the most popular Linux botnet.
  2. The IP is spotted in fresh Mirai samples, so this is an active and important threat indicator. 
  3. The IP is linked to a number of other indicators of compromise including ports, domains, and URLs, and also triggers several Suricata rules. 

All this data can be used to enrich proactive defense to detect this threat in advance.

Prevention: Updates on Evolving Threats

Proactive protection implies avoiding attacks before they happen and do damage. We can see whether a common threat is targeting infrastructure of other companies in our country and how exactly it is doing it right now.

Suppose we are a business from Germany. We shall combine country name, threat type (botnet), and the Ubuntu OS version in a TI Lookup search query.

os:”22.04.2″ and threatName:”botnet” and submissionCountry:”de”

In the search results, we switch to the “Analyses” tab and see thousands of publicly submitted malware samples.

How and Why Threat Hunting Teams Investigate Linux Malware Attacks
Searching for botnets targeting Ubuntu endpoints in Germany right now

Even before opening any of the analyses, we receive some actionable insight:

  • Linux-based endpoints in our country are right now actively threatened by several botnets.
  • Among them are Mirai, Prometei, and Gafgyt.
  • Since Gafgyt and Mirai prefer to target IoT devices with weak SSH passwords, and Prometei exploits OS vulnerabilities, — these are the potential weak spots in our network infrastructure that we ought to check. 
How and Why Threat Hunting Teams Investigate Linux Malware Attacks
How and Why Threat Hunting Teams Investigate Linux Malware Attacks 8

Research: Data For Proactive Protection

As we can see from the previous example if we explore it properly, — popular Linux botnet malware often exploits SSH vulnerabilities. It uses SSH scanning, a technique used to identify systems that have SSH services exposed to the Internet.

This process typically involves automated tools or scripts that scan ranges of IP addresses to detect open SSH ports (usually port 22) and attempt to gain unauthorized access. Files of .elf format are very often engaged in such activities.

A request to Threat Intelligence Lookup helps us find recent samples of malware that scans SSH ports and engages .elf files (Linux executable format):

filePath:”.elf” AND threatName:”sshscan”

How and Why Threat Hunting Teams Investigate Linux Malware Attacks
Malware that engages SSH scan found via TI Lookup

Why it is important: 

  • If you see .elf files associated with malicious activity (e.g., SSH scanning) in threat intelligence data, it’s a clear signal that attackers are actively targeting Linux environments.
  • Analyzing such samples helps you understand which ports, protocols, and attack scenarios are being used, and where the access attempts are coming from.
  • You can extract IOCs from the samples: scanner IP addresses, hashes of .elf files, command-line strings, C2 server domains.

How to Use Threat Intelligence Data for Proactively Protecting Linux Systems

The IOCs, IOBs, and IOAs brought to you by Threat Intelligence Lookup can be used to configure firewalls, NIDS/NIPS systems, EDR/antivirus tools, SIEM rules and alerts.

Based on TI data, you can update YARA rules to detect similar .elf files, set up threat hunting rules (e.g., logging SSH connection attempts from blacklisted IPs), and track lateral movement if an attacker is already inside your network.

If the number of such samples is increasing, it could indicate an ongoing campaign or attack wave. This allows you to alert the business and take proactive measures: network segmentation, strengthening SSH authentication, monitoring incoming connections more closely.

Conclusion

Business impact of engaging threat intelligence in Linux threat hunting is clear: 

  • Early detection of threats like malware with SSH scanning allows us to block attacks before damage occurs, avoiding high-cost incident response.
  • Threat intelligence helps act proactively, reducing the mean time to detect and respond directly lowering potential revenue loss.
  • Proactively protecting sensitive systems helps avoid non-compliance penalties.
  • Focus on real threats means better use of SOC time and budget.
  • Staying ahead of targeted Linux-based threats shows an organization as a mature and responsible business that values cybersecurity.

Start your research into Linux-targeting threats to understand your risks: use 50 trial TI Lookup requests. 



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.