Researchers have discovered a never-before-seen framework that infects Linux machines with a wide range of modules notable for the range of advanced capabilities they provide to attackers.
The framework, called VoidLink by its source code, features more than 30 modules that can be used to tailor its capabilities to attackers' needs for each infected machine. These modules can provide additional stealth and specific tools for reconnaissance, escalation of privilege, and lateral movement within a compromised network. The components can be easily added or removed as objectives change over the course of a campaign.
A focus on Linux in the cloud
VoidLink can target machines within popular cloud services by detecting whether an infected machine is hosted within AWS, GCP, Azure, Alibaba, and Tencent, and there are indications that developers plan to add detections for Huawei, DigitalOcean, and Vultr in future releases. To detect which cloud service is hosting the machine, VoidLink examines metadata using the respective vendor's API.
Similar frameworks that target Windows servers have been flourishing for years. They are less common on Linux machines. The functionality is unusually broad and “much more advanced than typical Linux malware,” say researchers at Checkpoint, the security firm that discovered VoidLink. Its creation may indicate that the attacker's focus is increasingly expanding to include Linux systems, cloud infrastructure, and application deployment environments as organizations move more and more workloads to these environments.
“VoidLink is a comprehensive ecosystem designed to maintain long-term unobtrusive access to compromised Linux systems, especially those running on public cloud platforms and in containerized environments,” the researchers said in a separate note. “The design reflects a level of planning and investment typically associated with professional threat actors rather than opportunistic attackers, raising the stakes for defenders who may never realize their infrastructure has been quietly taken over.”
