Unit 42, Palo Alto Networks’ threat intelligence division, has recently conducted investigations that have revealed a worrying trend: threat actors are increasingly creating and modifying Linux Executable and Linkable Format (ELF) malware to attack cloud infrastructure.
With cloud adoption skyrocketing and Linux-based systems underpinning the vast majority of cloud workloads estimates suggest between 70% and 90% of cloud compute instances attackers are finding fertile ground for deploying evolved malware families.
Why ELF Binaries Matter
ELF is the standard file format for executables and shared libraries on Linux. Due to Linux’s dominance in cloud environments, ELF files are an ideal vector for malware seeking persistence, evasion, and widespread impact.
According to the Report, Unit 42’s research highlights five evolving ELF-based malware families: NoodleRAT, Winnti (Linux variants), SSHdInjector, Pygmy Goat, and AcidPour.
Each family has seen at least two significant codebase updates in the past year, and each has been observed in the wild at least 20 times evidence of active development and deployment.
Attacks leveraging ELF binaries are growing in sophistication, often targeting vulnerabilities or misconfigurations in cloud-native and containerized deployments.
For example, attackers employ techniques such as dynamic linker hijacking to inject malicious code into legitimate processes. This often involves abusing environment variables like LD_PRELOAD to achieve stealthy code injection:
textLD_PRELOAD=/path/to/malicious.so /usr/sbin/sshd
Here, /path/to/malicious.so contains code that is loaded before any legitimate system libraries, allowing attackers to intercept system calls or hijack processes.
Technical Deep Dive: Malware Capabilities
NoodleRAT
NoodleRAT is a backdoor supporting both Windows and Linux, but its Linux variant is ELF-based and particularly dangerous. Capabilities include:
- Reverse shell access
- SOCKS proxy tunneling
- Encrypted communications
- File upload/download
- Process name spoofing
Notably, NoodleRAT has been used by Chinese-speaking actors and has targeted organizations across Asia-Pacific, including India, Thailand, Malaysia, and others.
The Linux version of Winnti abuses LD_PRELOAD to persist resident in memory without tampering with system binaries. It provides:
- Remote command execution
- File exfiltration
- SOCKS5 proxy for command and control (C2)
Winnti is frequently linked to China-nexus actors such as Starchy Taurus (aka Winnti Group, BARIUM) and is used for cyberespionage.
SSHdInjector is a Linux backdoor that injects code into the SSH daemon at runtime, enabling:
- Credential theft
- Remote command execution
- Malware ingress
- File/directory access
- Data exfiltration
SSHdInjector has been deployed by groups like Digging Taurus (aka Daggerfly, Evasive Panda), targeting governments and telcos.
Originally discovered on Sophos XG firewalls, this backdoor exploits vulnerable libraries (libsophos.so, CVE-2022-1040) and uses LD_PRELOAD to inject into sshd. Notable features:
- Rootkit functionality
- ICMP-based port knocking
- SSH traffic interception
- Reverse SOCKS5 proxy tunneling
- Cron job creation
Targets include government agencies and NGOs in Asia-Pacific.
Acid Pour / AcidRain
AcidRain targets MIPS-based devices, while AcidPour, its successor, is compiled for x86—expanding its reach to x86-based cloud infrastructure. Both are destructive wipers that:
- Use IOCTLs for mass data destruction
- Self-delete post-execution for evasion
AcidPour is linked to Russian groups (Razing Ursa, aka Sandworm, Voodoo Bear) and could be especially damaging if actors gain shell access via web shell, misconfiguration, or container escape.
Detection and Mitigation: The Role of Machine Learning
With cloud-based security alerts up 388% in 2024, and organizations reporting a 45% increase in advanced persistent threat (APT) attacks, defenders must adapt. Modern cloud endpoint detection and response (EDR) solutions, like Palo Alto Networks’ Cortex Cloud, now employ machine learning to flag suspicious binaries.
Cortex Cloud’s ML module was tested on over 100 unique ELF binaries across the five malware families. Detection scores:
- > 0.85: Malicious
- 0.65–0.84: Suspicious
- < 0.65: Benign
Test results showed 92.3% of samples scored as suspicious or malicious, and 61.5% scored above 0.85 (malicious). The model considers factors such as:
- Kernel-mode system calls
- Import functions
- Evasion techniques
- Network traffic
- Unknown binary patterns
Security teams are alerted when an unknown ELF binary is executed. The Cortex XDR interface shows a chain of related events and detailed process information, speeding remediation.
Protecting Your Cloud Environment
Given the threats, experts recommend:
- Deploy endpoint security agents on all cloud compute instances to monitor runtime processing, network traffic, and behavior.
- Regularly update and patch Linux systems and containers to reduce the attack surface.
- Monitor for abuse of environment variables like
LD_PRELOADand unusual binary execution. - Adopt cloud detection and response (CDR) solutions that combine EDR, auditing, and logging.
For the most robust protection, Palo Alto Networks customers are encouraged to use:
- Cortex ELF Machine Learning detection module
- Cortex PowerShell and VBS Machine Learning detection module
If you suspect a compromise, reach out to Unit 42 Incident Response for urgent assistance.
As cloud migration accelerates, threat actors are shifting their focus to Linux ELF malware, tailoring proven techniques for cloud environments.
The rise of backdoors, wipers, and sophisticated evasion methods such as dynamic linker hijacking and rootkit functionality means defenders must stay ahead with advanced detection and response.
Machine learning-powered endpoint security is proving essential in identifying and blocking these emerging threats.
With organizations increasingly reliant on cloud infrastructure, now is the time to fortify Linux workloads and containers against the next wave of ELF-based attacks.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates
Source link
