Linux Persistence Techniques Detected by AhnLab EDR (1)

Persistence techniques refer to methods employed by threat actors to maintain a connection to the target system after infiltration. As a single breach may not be enough to achieve all their goals, threat actors look for ways to re-access the system. Persistence can be maintained by configuring the malware to be executed even after a system reboot or installing a backdoor account among many other methods.

 

In Windows environments, threat actors typically employ methods that use the Run key, startup program, Task Scheduler, and service. Aside from these, other techniques such as DLL side-loading, Winlogon Helper DLL, and rootkits are used. The case is not much different for Linux: it supports startup scripts such as bash_profile, bashrc, and profile.d, services such as SysVinit and Systemd, and techniques such as cron jobs and preloading.

 

AhnLab Endpoint Detection and Response (EDR) is a next-generation threat detection and response solution, providing powerful threat monitoring, analysis, and response capabilities for endpoint areas based on Korea’s self-behavior-based engine. AhnLab EDR continuously collects information related to suspicious behaviors based on each type, allowing users to precisely perceive threats from a detection, analysis, and response perspective. Users then can conduct comprehensive analysis based on the data to identify causes, respond with appropriate measures, and establish processes to prevent threat recurrence.

 

This blog post will categorize the persistence techniques used by threat actors against Linux systems and outline how such attacks are detected using AhnLab EDR.

 

1. Startup Script (profile.d)

On Linux, there are startup scripts that run when the system boots or when the user logs in. This section will outline cases where the global environment configuration file was abused. The global environment file exists in “/etc/profile.d/”. When the system boots, the scripts in this path are run.

 

Malware can use this factor to its advantage: for example, the Kaiji CoinMiner copies itself to “/etc/profile.d/bash_conf” and creates “/etc/profile.d/bash_conf.sh”, which is the script that runs the malware. When the system boots, “bash_conf.sh” in the path “/etc/profile.d/” is run, which ultimately executes the Kaiji malware “bansh_conf”.

 

Figure 1. Kaiji maintaining persistence by abusing startup scripts

 

AhnLab EDR detects the events of newly registered startup scripts as key behaviors, allowing administrators to become aware of them in advance.

 

Figure 2. Detection logs of startup script registration

 

2. Cron Jobs

A cron job on Linux is a scheduling system similar to the Task Scheduler on Windows that allows users to configure specific tasks to run automatically at set times or intervals. It is typically used for regular backups, log management, and system maintenance, but malware strains also abuse it to maintain persistence.

 

XorDDoS is a DDoS malware strain that has been in distribution for a long time. It uses various techniques for maintaining persistence, with one of them being cron jobs. The malware registers a command to a cron job to run a script in “/etc/cron.hourly/gcc.sh” every 3 minutes. This script has a command to copy and re-execute the malware installed in “/lib/libudev.so”.

 

Figure 3. XorDDoS registering a cron job

 

AhnLab EDR detects the events of maintaining persistence by configuring a cron job as key behaviors, allowing administrators to become aware of them in advance.

 

Figure 4. Detection logs of cron job registration

 

 

3. Systemd

Just like on Windows, there is a service-like element in Linux environments as well. Nowadays, the Systemd service is used as a standard way to manage and control services. Systemd can be managed through systemctl, and the configuration information related to services is saved to the unit files located in “/etc/system/system”.

 

Lady, a CoinMiner developed in Go, abuses Systemd to maintain persistence. After being disguised as an NTP service, the malware copies itself to “/usr/sbin/ntp” and uses systemctl to register itself as “ntp.service”. Upon checking the “ntp.service” unit file where Lady is registered, the configuration information disguised as that of NTP daemon is found as shown below.

 

Figure 5. Lady CoinMiner abusing Systemd

 

AhnLab EDR detects the events of registering a service using Systemctl as key behaviors, allowing administrators to become aware of them in advance.

 

Figure 6. Detection logs of service registration using Systemd

 

 

4. Preload (Environment Variable)

There is an environment variable called LD_PRELOAD on Linux. When the Linux loader loads an executable file, it refers to this variable to set the file to load before other libraries. Because of this feature, there are cases where malware strains in Linux environments make malicious ‘so’ library files and designate the path to the environment variable LD_PRELOAD to let the files be loaded with legitimate processes.

 

The Roopre backdoor is installed by a PHP dropper. According to the architecture, the PHP dropper installs Roopre under the name “cached.so” and then registers this to the LD_PRELOAD environment variable before running a host command. When the host command is run, Roopre that was registered to the LD_PRELOAD environment variable is loaded and executed.

 

Figure 7. Roopre abusing the LD_PRELOAD environment variable

 

AhnLab EDR detects suspicious loading of libraries through LD_PRELOAD as key behaviors, allowing administrators to become aware of them in advance.

 

Figure 8. Detection logs of the library load event registered to LD_PRELOAD loading

 

 

5. Preload (ld.so.preload)

Aside from the LD_PRELOAD environment variable, the Linux loader can also use the “/etc/ld.so.preload” for preloading. If the file exists, the loader first loads the library in the path designated inside the file, just like registering to an environment variable.

 

The Kinsing CoinMiner uses a customized version of the open-source user mode rootkit Beurk for concealment. The rootkit is in a library format to be loaded into a process. Afterward, it hooks functions related to files and TCP communications, and those related to Kinsing are hidden. Kinsing abuses the “/etc/ld.so.preload” file so that the rootkit can be loaded to a process that looks up files or network communication. The process consists of simply installing the rootkit to “/etc/libsystem.so” and registering this path to “/etc/ld.so.preload”. As a result, any new processes created end up loading the rootkit “/etc/libsystem.so” automatically.

 

Figure 9. Rootkit registered ld.so.preload

 

AhnLab EDR detects the events of manipulating the file “/etc/ld.so.preload” as threats, allowing administrators to become aware of them in advance.

 

Figure 10. Detection logs of the ld.so.preload file manipulation event

 

 

6. Conclusion

Threat actors are abusing various persistence techniques to maintain their connection to the system after infiltration. As such, even if they fail to meet their goals during the initial compromise, they can later access the system consistently to exfiltrate information, encrypt files, or take control.

 

AhnLab EDR detects suspicious behaviors displayed in the persistence stage as threats and key behaviors, allowing administrators to become aware of them in advance. Administrators can use AhnLab EDR’s capability to find causes and form appropriate measures. Even when the systems are exposed to attacks, data can still be gathered from the targeted systems which can be used as evidence for the investigations.

 

Behavior Detection

– Persistence/DETECT.T1053.M10875
– Persistence/DETECT.T1543.M10920
– Suspicious/DETECT.T1574.006.M10894
– Suspicious/EDR.Preload.M10892

 

Tactic	Technique
Persistence (TA0003)	Event Triggered Execution: Unix Shell Configuration Modification (T1546.004)
Persistence (TA0003)	Scheduled Task/Job: Cron (T1053.003)
Persistence (TA0003)	Create or Modify System Process: Systemd Service (T1543.002)
Persistence (TA0003)	Hijack Execution Flow: Dynamic Linker Hijacking (T1574.006)

MITRE ATT&CK mapping information