Trend Micro researchers encountered a PowerGhost variant that infects Linux machines via EternalBlue, MSSQL, and Secure Shell (SSH) brute force attacks. The malware was previously known to target only Windows systems.
PowerGhost is a fileless cryptocurrency-mining malware that attacks corporate servers and workstations, capable of embedding and spreading itself undetected across endpoints and servers. It was known to exploit PowerShell, a built-in task automation and configuration feature in Windows. The threat has now expanded to Linux systems.
The detected PowerGhost variant has two payloads that it can deploy, depending on the operating system running on its target system. It delivers the PowerShell-based PowerGhost on Windows machine, as seen in earlier variants, or a multi-component malware on Linux systems.
Figure 1: Code snippet showing commands executed by PowerGhost on Windows (WCommand Line) or Linux (LCommandLine)
Figure 2: Code snippet showing LCommandLine being remotely executed via SSH
The new variant kills or removes some installed anti-malware products on Linux systems, maintains persistence by setting up a scheduled task via software utility Cron, and drops other components (likely a Distributed Denial of Service (DDoS) malware). It can also exploit the Dirty COW vulnerability (CVE-2016-5195) to gain root access and propagate to other devices that trusts the compromised machine via SSH. To hide its presence, it installs a bash-based rootkit named brootkit.
Figure 3: Code snippet showing the propagation function
In 2019, a 265% growth in fileless attacks such as PowerGhost was observed by Trend Micro researchers, identifying it as a rapidly growing threat. To protect systems against such risks, users are advised to do the following:
The Trend Micro Deep Discovery™ solution detects, analyzes, and proactively responds to attacks. It can also detect remote scripts, even those that are not downloaded on endpoints. The Trend Micro Deep Discovery Inspector solution safeguards against the new PowerGhost variant via these DDI rules:
For overall protection, a multilayered security approach is recommended to safeguard all layers of the system.
|SHA 256||Detection Name|
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.