linux-malware

Rolling 7 day view of updates from this repo

Press/academia

• https://en.wikipedia.org/wiki/Linux_malware - DarkSide
• https://en.wikipedia.org/wiki/Mirai_(malware) - Mirai
• https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/
• https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf - LaZagne, Dalcs, Gafgyt, Tsunami, IPStorm, Wellmess, FritzFrog
• https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf - WINNTI
• https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/ - AgeLocker, WellMail, TrickBot, IPStorm, Turla, QNAPCrypt, Carbanak
• https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf - various SSH, Bonadan, Kessel, Chandrila
• https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Dumont-H-Porcher-dark_side_of_the_forsshe.pdf - various SSH, Bonadan, Kessel, Chandrila
• https://ieeexplore.ieee.org/document/8418602
• https://gist.github.com/vlamer/2c2ec2ca80a84ab21a32
• http://s3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf
• https://reyammer.io/publications/2018_oakland_linuxmalware.pdf
• https://malpedia.caad.fkie.fraunhofer.de/
• https://rp.os3.nl/
• https://wikileaks.org/vault7/
• https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations
• https://www.zdnet.com/article/hacker-exposes-thousands-of-insecure-desktops-that-anyone-can-remotely-view/
• https://www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html
• https://blog.trendmicro.com/trendlabs-security-intelligence/unix-a-game-changer-in-the-ransomware-landscape/
• https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/
• https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html
• https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/ - honeypot
• https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/ - honeypot
• https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/

Breach reports

• https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm - GoDaddy

Supply chain attacks

• https://www.webmin.com/exploit.html - Webmin
• https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain/ - "Octopus Scanner" (Netbeans) attack
• https://www.aldeid.com/wiki/Exploits/proftpd-1.3.3c-backdoor - ProFTPd
• https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor/ - UnrealIRCd
• https://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155 - Horde Webmail
• https://arstechnica.com/information-technology/2012/09/questions-abound-as-malicious-phpmyadmin-backdoor-found-on-sourceforge-site/ - PHPMyAdmin
• https://portswigger.net/daily-swig/backdoor-planted-in-php-git-repository-after-server-hack - PHP
• https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html - VsFTPd
• https://portswigger.net/daily-swig/homebrew-bug-allowed-researcher-full-access-to-github-repos - Homebrew
• https://lwn.net/Articles/371110/ - e107 CMS
• http://www.h-online.com/open/news/item/MyBB-downloads-were-infected-1366300.html - MyBB
• https://lirantal.medium.com/a-snyks-post-mortem-of-the-malicious-event-stream-npm-package-backdoor-40be813022bb - event-stream
• https://blog.sonatype.com/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices - NPM

Malware reports

• https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ - FreakOut
• https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/ - RandomEXX
• https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/ - IPStorm
• https://cujo.com/iot-malware-journals-prometei-linux/ - Promotei
• https://twitter.com/IntezerLabs/status/1338480158249013250 - Promotei
• https://igor-blue.github.io/2021/03/24/apt1.html
• https://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/ - DarkRadiation
• https://www.trendmicro.com/en_gb/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html - DarkRadation
• https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ - RotaJakiro
• https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors - Tycoon
• https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/ - QNAPCrypt, eCh0raix
• https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/ - QNAPCrypt, eCh0raix
• https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/ - KillDisk
• https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version - REvil
• https://twitter.com/malwrhunterteam/status/1415403132230803460 - HelloKitty
• https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/ - HelloKitty
• https://github.com/fboldewin/FastCashMalwareDissected/blob/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf - FastCash, #aix
• https://www.guardicore.com/labs/fritzfrog-a-new-generation-of-peer-to-peer-botnets/ - FritzFrog
• https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ - Gafgyt
• https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/ - Gafgyt
• https://twitter.com/malwaremustd1e/status/1264417940742389762 - Gafgyt (by malwaremustdie.org)
• https://twitter.com/malwaremustd1e/status/1265321238383099904 - Gafgyt (by malwaremustdie.org)
• https://imgur.com/a/2zRCt - Gafgyt (by malwaremustdie.org)
• https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/ - Gafgyt
• https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt - Gafgyt
• https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html - DarkSide
• https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ - Turian
• https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/ - EvilGnome
• https://unit42.paloaltonetworks.com/watchdog-cryptojacking/ - WatchDog
• https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/ - RedXOR
• https://vms.drweb.com/virus/?_is=1&i=15389228 - ?
• https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/ - TeamTNT, Mimipenguin
• https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials - TeamTNT
• https://twitter.com/_larry0/status/1143532888538984448 - Silex
• https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/ - GodLua
• https://blog.talosintelligence.com/2018/05/VPNFilter.html - VPNFilter
• https://blog.talosintelligence.com/2018/06/vpnfilter-update.html - VPNFilter
• https://www.trendmicro.com/en_gb/research/19/f/cryptocurrency-mining-botnet-arrives-through-adb-and-spreads-through-ssh.html - CoinMiner
• https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/ - LemonDuck
• https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html - Mirai (by malwaremustdie.org)
• https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html - Mirai (by malwaremustdie.org)
• https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html - Mirai (by malwaremustdie.org)
• https://imgur.com/a/qqgfFXf - Mirai (by malwaremustdie.org)
• https://imgur.com/a/53f29O9 - Mirai (by malwaremustdie.org)
• https://news.sophos.com/en-us/2020/12/16/systembc/ - SystemBC
• https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html - Slapstick, unc1945, #solaris, lightbasin
• https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks - Slapstick, unc1945, #solaris, lightbasin
• https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ - Steelcorgi, unc1945, #solaris, lightbasin
• https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/ - Qemu, unc1945, lightbasin
• https://twitter.com/timb_machine/status/1450595881732947968 - unc1945, #solaris, lightbasin
• https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF - Drovorub
• https://www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spam-servers/ - Mumblehard
• https://twitter.com/billyleonard/status/1417910729005490177 - Zirconium (APT31)
• https://twitter.com/bkMSFT/status/1417823714922610689 - Zirconium (APT31)
• https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/ - Zirconium (APT31)
• https://twitter.com/IntezerLabs/status/1326880812344676352 - AgeLocker
• https://twitter.com/IntezerLabs/status/1288487307369222145 - TrickBot
• https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html - NOTROBIN
• https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf - Cloud Snooper
• https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html - TSCookie
• https://twitter.com/ESETresearch/status/1382054011264700416 - TSCookie, #freebsd
• https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html - PLEAD
• https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability - KinSing
• https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf - Turla
• https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ - Kaiji
• https://old.reddit.com/r/LinuxMalware/comments/gdte0m/linuxkaiji/ - Kaiji (by malwaremustdie.org)
• https://twitter.com/IntezerLabs/status/1272915284148531200 - Lazarus
• https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/ - Doki
• https://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-service/ - NGrok
• https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-docker-control-api-and-community-image-abused-to-deliver-cryptocurrency-mining-malware/ - NGrok
• https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf - WellMail (APT29)
• https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF - Drovorub
• https://twitter.com/IntezerLabs/status/1291355808811409408 - Carbanak
• https://twitter.com/IntezerLabs/status/1300403461809491969 - Dalcs
• https://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/ - Rakos
• http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf - Moose
• https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/ - Stantinkos
• https://unit42.paloaltonetworks.com/pgminer-postgresql-cryptocurrency-mining-botnet/ - PGMiner
• https://raw.githubusercontent.com/bg6cq/ITTS/master/security/mine/README.md - ITTS
• https://twitter.com/CraigHRowland/status/1422009387686645761 - ITTS
• https://twitter.com/CraigHRowland/status/1422267857988063232 - ITTS
• https://pastebin.com/raw/mEape37E - SystemTen (by malwaremustdie.org)
• https://imgur.com/a/H7YuWuj - SystemTen (by malwaremustdie.org)
• https://old.reddit.com/r/LinuxMalware/comments/f26amt/new_systemten_botnet_miner_threat_now_wother/ - SystemTen (by malwaremustdie.org)
• https://twitter.com/malwaremustd1e/status/1235595880041873408 - Hajimi (by malwaremustdie.org)
• https://twitter.com/malwaremustd1e/status/1237080802581565440 - Mozi (by malwaremustdie.org)
• https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/ - Rhombus (by malwaremustdie.org)
• https://twitter.com/malwaremustd1e/status/1251758225919115264 - Tsunami, Kaiten (by malwaremustdie.org)
• https://gist.github.com/unixfreaxjp/7b8bd6be614f7a051fc9a9da760d3138 - Tsunami, Kaiten (by malwaremustdie.org)
• https://twitter.com/malwaremustd1e/status/1267068856645775360 - DarkNexus (by malwaremustdie.org)
• https://twitter.com/malwaremustd1e/status/1380637310346096641 - Ngioweb (by malwaremustdie.org)
• https://twitter.com/malwaremustd1e/status/1379028201075187716 - DGAbot (by malwaremustdie.org)
• https://imgur.com/a/8mFGk - httpsd (by malwaremustdie.org)
• https://old.reddit.com/r/LinuxMalware/comments/7qd27e/linuxss_aka_shark_hacktool_syn_scanner_wpcap/ - SS, Shark (by malwaremustdie.org)
• https://old.reddit.com/r/LinuxMalware/comments/a66dsz/ddostf_still_lurking_arm_boxes/ - DDoSTF (by malwaremustdie.org)
• https://imgur.com/a/N3BgY - ChinaZ, GoARM (by malwaremustdie.org)
• https://imgur.com/a/5vPEc - ChinaZ (by malwaremustdie.org)
• https://imgur.com/a/vS7xV - CarpeDiem (by malwaremustdie.org)
• https://imgur.com/a/eBF7Mqe - Haiduc (by malwaremustdie.org) (by malwaremustdie.org)
• https://imgur.com/a/SSKmu - Rebirth, Vulcan (by malwaremustdie.org)
• https://imgur.com/a/lAQ1tMQ - HelloBot (by malwaremustdie.org)
• https://imgur.com/a/4YxuSfV - Cayosin (by malwaremustdie.org)
• https://imgur.com/a/57uOiTu - DDoSMan (by malwaremustdie.org)
• https://imgur.com/a/MuHSZtC - Mandibule (by malwaremustdie.org)
• https://imgur.com/a/CtHlmBE - Tsunami, Kaiten (by malwaremustdie.org)
• https://imgur.com/a/qI5Fvm4 - STD (by malwaremustdie.org)
• https://imgur.com/a/DWKK5 - Tsunami, Kaiten (by malwaremustdie.org)
• https://imgur.com/a/LpTN7 - Elknot (by malwaremustdie.org)
• https://imgur.com/a/y5BRx - r57shell (by malwaremustdie.org)
• https://imgur.com/a/a6RaZMP - Honda Car's Panel's Rootkit from China #Android (by malwaremustdie.org)
• https://pastebin.com/iKyaqLTd - Exaramel, BlackEnergy, #ICS (by malwaremustdie.org)
• https://pastebin.com/Z3sXqDCA - Mozi (by malwaremustdie.org)
• https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html - AirDropBot (by malwaremustdie.org)
• https://imgur.com/a/Ak9zICq - Neko (by malwaremustdie.org)
• https://twitter.com/ESETresearch/status/1415542456360263682 - ?, #FreeBSD
• https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/ - Kobalos, #linux, #bsd, #solaris, #aix
• https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf - Kobalos, #bsd, #solaris, #aix
• https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ - Ebury
• https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/kessel-dns-exfiltration-2/ - Kessel
• https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ - Prophet Spider
• https://twitter.com/malwrhunterteam/status/1422972905541996546 - Encryptor, #VMware
• https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar - PRISM
• https://csirt.egi.eu/attacks-on-multiple-hpc-sites/ - HPC
• https://atdotde.blogspot.com/2020/05/high-performance-hackers.html - HPC
• https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/ - #cobaltstrike, VermilionStrike
• https://threatfabric.com/blogs/vultur-v-for-vnc.html - Vultur, Brunhilda, #Android
• https://www.trendmicro.com/en_ca/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html - KinSing
• https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/ - FontOnLake
• https://www.virusbulletin.com/virusbulletin/2014/07/mayhem-hidden-threat-nix-web-servers - Mayhem
• https://www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html
• https://s.tencent.com/research/report/1177.html
• https://honeynet.onofri.org/scans/scan13/som/som13.txt - Luckscan, usedby:unc1945
• http://www.foo.be/cours/dess-20042005/report/bigwar.html#sc - sc (similar code to luckscan used by unc1945)
• https://twitter.com/jhencinski/status/1451592508157345793 - XMRig
• http://www.thedarkside.nl/honeypot/microbul.html
• https://honeynet.onofri.org/scans/scan13/som/som5.txt - Luckscan, usedby:unc1945
• https://twitter.com/ESETresearch/status/1454100591261667329?s=20 - Hive
• https://cujo.com/threat-alert-krane-malware/ - Krane
• https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits - Botenago
• https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis - Conti
• https://mp.weixin.qq.com/s/BSfKTlMlOnNlsWKjV1NM8w - NAMO
• https://www.gosecure.net/blog/2018/02/14/chaos-a-stolen-backdoor-rising/ - Chaos (sebd)
• https://sansec.io/research/ecommerce-malware-linux-avp - linux_avp
• https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html - Umbreon
• https://id-ransomware.blogspot.com/2021/11/polaris-ransomware.html - Polaris
• https://sansec.io/research/cronrat - CronRat
• https://imp0rtp3.wordpress.com/2021/11/25/sowat/ - SoWaT, usedby:apt31
• https://darrenmartyn.ie/2021/11/29/analysis-of-the-lib__mdma-so-1-userland-rootkit/ - lib__mdma
• https://www.sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/ - Cloud Shovel
• https://zhuanlan.zhihu.com/p/348960748 - Cloud Shovel
• https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ - Hildegard, TeamTNT
• https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool - ebpfkit
• https://twitter.com/malwrhunterteam/status/1467264298237972484 - Cerber
• https://sysdig.com/blog/muhstik-malware-botnet-analysis/ - Muhstik
• https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/ - Muhstik
• https://tolisec.com/ssh-backdoor-botnet-with-research-infection-technique/
• https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/
• https://sansec.io/research/nginrat - NginRAT
• https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ - SysJoker
• http://it.rising.com.cn/fanglesuo/19851.html - SFile
• https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github - Botenago
• https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ - RotaJakiro

Malware samples

Malware binaries

• https://tria.ge/s?q=tag%3alinux
• https://bazaar.abuse.ch/browse.php?search=tag%3Aelf
• https://github.com/MalwareSamples/Linux-Malware-Samples
• https://github.com/blackorbird/APT_REPORT
• https://twitter.com/nunohaien/status/1261281420791742464
• https://www.virustotal.com/gui/file/c69ee0f12a900adc654d93aef9ad23ea56bdfae8513e534e1a11dca6666d10aa/detection
• https://bazaar.abuse.ch/browse/signature/Mirai/ - Mirai
• https://bazaar.abuse.ch/browse/signature/Gafgyt/ - Gafgyt
• https://bazaar.abuse.ch/browse/signature/XorDDoS/ - XorDDoS
• https://bazaar.abuse.ch/browse/signature/SystemBC/ - SystemBC
• https://www.virustotal.com/gui/file/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2/detection - Zirconium, apt31?
• https://github.com/eset/malware-ioc/tree/master/rakos - Rakos
• https://analyze.intezer.com/files/85e72976b9448295034a8d4c26462b8f1ebe1ca0a4e4b897c7f2404d0de948c2 - WellMail, usedby:apt29
• https://vx-underground.org/samples/Families/APT/2020.11.02/ - #Solaris, usedby:unc1945, usedby:lightbasin
• https://vx-underground.org/samples/Exotic/FASTCash/ - #AIX, FastCash, usedby:hiddencobra
• https://vx-underground.org/samples/Families/Vermilion%20Strike/ - cobaltstrike, VermilionStrike
• https://github.com/eset/malware-ioc/tree/master/kobalos - Kobalos
• https://github.com/x0rz/EQGRP
• https://bazaar.abuse.ch/sample/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9/ - Polaris
• https://bazaar.abuse.ch/download/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2/ - SoWaT, usedby:apt31
• https://www.virustotal.com/gui/file/3b7a06c53ec0f2ce7b9de4cae9e6e765fd18dc1f2ff522c0ccd9c8c3f9e79532 - Linikatz

Malware source

• https://github.com/0x27/linux.mirai - Mirai
• https://github.com/vxunderground/MalwareSourceCode/tree/main/Linux
• https://gitlab.com/rav7teif/linux.wifatch/ - Linux.Wifatch
• https://pastebin.com/jkndLHQf - FinFisher
• https://packetstormsecurity.com/files/download/23045/statdx-scan.tar.gz - pscan (similar code to luckscan used by unc1945)
• https://github.com/jwne/caffsec-malware-analysis/blob/master/mIRChack/pscan2.c - pscan (similar code to luckscan used by unc1945)
• https://github.com/0x27/sebd-0.2 - sebd 0.2 source code (a fix of 0.1)
• https://github.com/NexusBots/Umbreon-Rootkit - Umbreon Rootkit
• https://github.com/HeapAllocate/sterben - sterben

Research, PoCs, capabilities etc

Not necessarily malicious code (see Linikatz and unix-privesc-check =)) but interesting capabilities...

Tools

• https://github.com/AlessandroZ/LaZagne
• https://github.com/CiscoCXSecurity/linikatz - #T1558
• https://github.com/ciscocxsecurity/unix-privesc-check
• https://github.com/rebootuser/LinEnum
• https://github.com/rek7/fireELF
• https://github.com/ripmeep/memory-injector
• https://github.com/zMarch/Orc
• https://github.com/TH3xACE/SUDO_KILLER
• https://github.com/CiscoCXSecurity/sudo-parser
• https://github.com/NetDirect/nfsshell
• https://github.com/phath0m/JadedWraith
• https://github.com/FiloSottile/age
• https://github.com/oldboy21/LDAP-Password-Hunter
• https://github.com/redcode-labs/Bashark
• https://github.com/jtripper/parasite
• https://github.com/ixty/mandibule
• https://github.com/f0rb1dd3n/Reptile
• https://github.com/nurupo/rootkit
• https://github.com/adamcaudill/EquationGroupLeak/tree/master/Linux
• https://github.com/mempodippy/vlany
• https://github.com/m1m1x/memdlopen
• https://github.com/ropnop/kerbrute
• https://github.com/ropnop/windapsearch
• https://github.com/CiscoCXSecurity/enum4linux
• https://gtfobins.github.io/
• https://github.com/JonathonReinhart/nosecmem
• https://github.com/zephrax/linux-pam-backdoor
• https://github.com/EvelynSubarrow/BismuthScorpion
• https://github.com/EvelynSubarrow/IridiumScorpion
• https://github.com/TarlogicSecurity/tickey
• https://github.com/huntergregal/mimipenguin
• https://github.com/mnagel/gnome-keyring-dumper
• https://github.com/504ensicsLabs/LiME
• https://vulners.com/metasploit/MSF:POST/LINUX/GATHER/GNOME_KEYRING_DUMP/
• https://github.com/blendin/3snake
• https://github.com/willshiao/node-bash-obfuscate
• https://github.com/chokepoint/azazel
• https://github.com/stealth/devpops - DevPops by stealth (not really malicious, has guard rails)
• https://github.com/nnsee/fileless-elf-exec
• https://github.com/netifera/netifera
• https://github.com/ONsec-Lab/scripts/tree/master/pam_steal
• https://github.com/zephrax/linux-pam-backdoor
• https://gist.github.com/timb-machine/7bd75479ee29aee8762952ea16908eb0
• https://gist.github.com/zznop/0117c24164ee715e750150633c7c1782
• https://github.com/alichtman/malware-techniques
• https://github.com/liamg/memit
• https://github.com/0x1CA3/parasite
• https://github.com/compilepeace/KAAL_BHAIRAV
• https://github.com/fbkcs/msf-elf-in-memory-execution
• https://github.com/IvanGlinkin/AutoSUID
• https://github.com/pathtofile/bad-bpf
• https://github.com/sosdave/KeyTabExtract
• https://github.com/roddux/santa
• https://github.com/mufeedvh/moonwalk
• https://github.com/vfsfitvnm/intruducer
• https://github.com/gaffe23/linux-inject

Techniques

• https://tmpout.sh/1/
• https://n0.lol/
• https://vxug.fakedoma.in/papers.html
• https://www.tarlogic.com/blog/how-to-attack-kerberos/
• https://github.com/CiscoCXSecurity/linikatz/issues
• https://www.first.org/resources/papers/telaviv2019/Rezilion-Shlomi-Butnaro-Beyond-Whitelisting-Fileless-Attacks-Against-L....pdf
• https://rp.os3.nl/2016-2017/p59/report.pdf
• https://rp.os3.nl/2016-2017/p59/presentation.pdf
• https://rp.os3.nl/2016-2017/p97/report.pdf
• https://rp.os3.nl/2016-2017/p97/presentation.pdf
• https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/
• http://www.nth-dimension.org.uk/downloads.php?id=77
• https://labs.portcullis.co.uk/presentations/breaking-the-links-exploiting-the-linker/
• https://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
• https://blog.talosintelligence.com/2018/12/PortcullisActiveDirectory.html - #T1558
• https://github.com/CiscoCXSecurity/presentations/blob/master/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf - #T1558
• http://archive.hack.lu/2019/Fileless-Malware-Infection-and-Linux-Process-Injection-in-Linux-OS.pdf
• http://shell-storm.org/api/?s=arm
• http://lists.openstack.org/pipermail/openstack/2013-December/004138.html
• https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf
• http://www.foo.be/cours/mssi-20072008/davidoff-clearmem-linux.pdf
• https://medium.com/verint-cyber-engineering/linux-threat-hunting-primer-part-ii-69484f58ac92
• https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
• https://blog.fbkcs.ru/en/elf-in-memory-execution/
• https://medium.com/confluera-engineering/reflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301
• https://medium.com/confluera-engineering/detection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014
• https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html
• https://www.guitmz.com/running-elf-from-memory/
• https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/

Sandboxes

• https://github.com/monnappa22/Limon
• https://bazaar.abuse.ch/
• https://www.virustotal.com/gui/
• https://www.rfxn.com/projects/linux-malware-detect/
• https://elfdigest.com/
• https://tria.ge/

Yara rules

Personal rules

• ciscotools.yara - Hunts for references to our tools
• aix.yara - Hunts for AIX binaries
• adonunix2.yara - Hunts for binaries that attack AD on UNIX
• enterpriseunix2.yara - Hunts for enterprise UNIX binaries
• enterpriseapps2.yara - Hunts for enterprise app binaries
• canvasspectre.yara - Hunts for CANVAS Spectre
• unixredflags3.yara - Hunts for UNIX red flags
• luckscan.yara - Hunts for references to luckscan
• pscan.yara - Hunts for references to pscan

Other rules

• https://github.com/Yara-Rules/rules