Threat Intelligence

Linux security and APTs: Identifying threats and reducing risk

Dan Virgillito
January 18, 2021 by
Dan Virgillito


Think your Linux system is immune to malware? Well, think again. Advanced attack groups have sophisticated PHP rootkits, web shells, exploit code and backdoors designed for Linux. Plus, Linux users are arguably at greater risk when they believe the Linux security stereotype and neglect the importance of mitigations for the threat. 

This is one of the reasons why APT groups are increasingly targeting Linux over Windows. While the OS hasn’t experienced the flood of Trojans and viruses that Windows systems have, The Global Research and Analysis Team (GReAT) at Kaspersky shared that Linux still has high appeal for threat actors.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Linux usage on the rise, but devices are at risk

The Kaspersky GReAT team observed a significant trend across various countries: many organizations, including IT firms and government entities, use Linux more than Windows. The trend has been fueled by a move to container infrastructure, making it convenient for enterprises to deploy and use Linux. Unfortunately, not much attention is given to securing access to Linux-running devices, which has prompted adversaries to design tools for targeting the OS. Remember, it takes only a few exposed ports and a single vulnerable container for an attacker to enter your network.

GReAT’s analysis indicates that Linux servers are at the greatest risk, but threat actors could also target workstations and network devices. However, researchers emphasized that servers should be the key concern. A successful compromise could not only allow attackers to gain access to the data on those machines but also target connected endpoints running macOS or Windows, helping them infect more devices than their initial objective.

APT groups at the forefront of attacks

According to GReAT, various APT groups have been observed to leverage Linux malware and other Linux-based modules. Interestingly, they are deploying the malware via legitimate tools that are already present on Linux-based devices. This helps them to cover their tracks while they deploy code or run scripts. Below is an advanced persistent threat list featuring some of the hacking groups that have targeted Linux.

Cloud Snooper

Earlier in 2020, SophosLab published a report about a new APT threat actor named Cloud Snooper. Their attack tool is a server-oriented Linux kernel rootkit designed to establish a communication to the Linux server. The kernel driver achieves this by hooking Netfilter traffic control functions to activate firewall-crossing command-and-control (C2) communication. For spying, the attackers utilize an in-band signaling technique where a hidden command script is added in the standard network traffic. 

GReAT researchers used the rootkit’s userland companion backdoor Snoopy to identify the threat at scale. 


Researchers also found another APT group with the goal of manipulating network traffic. Called Barium/APT41, the group mainly targeted gaming firms during the initial years of its existence. Over time, it designed new tools and started attacking more complex targets. 

The centerpiece is a Linux malware dubbed MessageTap, which is a “64-bit ELF data miner” loaded initially by an installation script. The Barium team uses it to intercept SMS communication from telecoms’ infrastructure. 

FireEye reported that this malware was deployed on telecoms’ SMS gateway systems to create a surveillance grid.


GReAT’s researchers discovered that the sophisticated APT group Equation began utilizing its POSIX-compliant codebase to target Linux-based platforms. They identified the DOUBLEFANTASY Linux malware while it was still in the early stage. This module gathers system data and credentials to provide generic access to a Linux computer. 

Researchers suggested that the malware could be used as a ploy in the infection life cycle for more dangerous later-stage implants. However, they weren’t able to identify any during the analysis.


This APT group, like other threat actors, has refined its toolset to include Linux-targeting capabilities. Their arsenal includes a stealth backdoor (called Penguin Turla) that doesn’t require admin or root privileges. An attacker with limited access to a Linux system can use it to run commands and intercept incoming packets while remaining hidden. It’s one of the most challenging to uncover, especially if deployed on a compromised server.

GReAT researchers stated that the most concerning thing about Linux malware is its ability to hide on servers (and then show up later). As Linux users rarely focus on system updates or installing antivirus software, the modules have a good chance of escaping detection and penetrating the devices.

How to minimize your APT security risks

Fortunately, researchers have some much-needed advice for making Linux devices more secure against APT threats. Here are some of the steps they recommend:

  • Keep a list of trusted software sources and avoid installing apps from unofficial stores.
  • Configure your firewall from the Linux distributive effectively to store network activity and block idle ports.
  • Don’t fall for installation methods involving commands such as curl https://install-url | sudo bash. They can be harmful to your device.
  • Make sure to set up automatic updates for your Linux security software and avoid unencrypted channels for software updates.
  • Evaluate network settings and any unnecessary programs from the network.
  • Leverage key-based SSH-authentication and passwords to protect keys. 
  • Set up two-factor authentication for SSH sessions and keep sensitive keys on third-party token devices. 
  • Protect Linux hardware from malicious insiders by using full disk encryption and placing tamper-evident security tape on the crucial systems.
  • Perform system audits and study logs for indicators of compromise. 
  • Use dedicated Linux security tools like Integrated Endpoint Security. Such tools offer network and web safeguards to identify network attacks, phishing and malicious sites, as well as other Linux security features such as device control to help users define rules for data transfers. 


Organizations have long relied on Linux as an OS capable of supporting the daily tasks of enterprises. That, coupled with the misconception about Linux security, makes the OS a viable target for different attack groups. Rather than neglecting the reality of APT attacks, make sure to take the steps needed to increase the defense mechanisms of your Linux devices. For the best results, start seeing Linux security as a practice that needs to be integrated into your company’s DNA.



How invulnerable is Linux?, Kaspersky Daily

The “Cloud Snooper” malware that sneaks into your Linux servers, Naked Security

MESSAGETAP: Who’s Reading Your Text Messages?, FireEye

Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.