Newly uncovered Linux Trojan represents 'missing piece' in four-year Turla malware attacked
Linux component of Turla Trojan could've been used in the wild for four years, warn Kaspersky and Symantec
A stealth Trojan that has attacked Linux systems in 45 countries around the world has been uncovered - and researchers fear that it has been active for a number of years, targeting systems belonging to governments and pharmaceutical companies.
The malware has been used in the wild for at least four years, according to the two companies, and has targeted government computing, embassies, military and research establishments. That targeting, and the Trojan's sophistication, indicates that it may be another state-created piece of malware - that, indeed, is the claim of Symantec.
The malware used a rootkit that made it difficult to detect.
"So far, every single Turla sample we've encountered was designed for the Microsoft Windows family, 32 and 64 bit operating systems. The newly discovered Turla sample is unusual in the fact that it's the first Turla sample targeting the Linux operating system that we have discovered," wrote Kaspersky researchers Kurt Baumgartner and Costin Raiu in an article on SecureList.
They continued: "This newly found Turla component supports Linux for broader system support at victim sites. The attack tool takes us further into the set alongside the Snake rootkit and components first associated with this actor a couple years ago. We suspect that this component was running for years at a victim site, but do not have concrete data to support that statement just yet."
The Microsoft Windows parts of the Turla malware has infected hundreds of systems in 45 countries around the world, but the Linux component was only recently uncovered.
The Linux Trojan can't be easily detected using the common netstat command, but it can run arbitrary commands with the need for elevated system privileges, according to Baumgartner
"The Linux Turla module is a C/C++ executable statically linked against multiple libraries, greatly increasing its file size. It was stripped of symbol information, more likely intended to increase analysis effort than to decrease file size. Its functionality includes hidden network communications, arbitrary remote command execution, and remote management. Much of its code is based on public sources," according to Baumgartner and Raiu of Kaspersky.
They continue: "This specific module appears to have been put together from public sources with some added functionality from the attackers. Some of the malicious code appears to be inactive, perhaps leftovers from older versions of the implant. Perhaps the most interesting part here is the unusual command and control mechanism based on TCP/UDP packets, as well as the C&C hostname which fits previously known Turla activity.
"The discovery of this Turla module rises one big question: how many other unknown Turla variants exist?"