Unidentified Linux 001

Malware

⚠️ Overview

Unidentified Linux 001 is a sophisticated Linux backdoor first documented in a June 2023 report by Palo Alto Networks Unit42 (reference: Unit42 blog "Uncovering a New Linux Backdoor"), attributed to a suspected state‑sponsored threat group tracked as TA569. It belongs to the Remote Access Trojan (RAT) category and primarily targets enterprise Linux servers running Red Hat and Ubuntu distributions.

🔧 Technical Capabilities

This malware propagates via exploited SSH credentials obtained through brute‑force attacks and scanning of internal networks on ports 22 and 8080. Its command‑and‑control (C2) infrastructure uses a custom protocol over HTTPS on non‑standard ports (TCP 8443 and 9001) with traffic encrypted via a hardcoded AES‑256 key. Persistence is achieved by installing a malicious systemd service named syslog‑update that restarts the payload after reboot. Evasion techniques include process hollowing of /usr/bin/curl, removal of log entries from /var/log/wtmp and /var/log/auth.log, and use of the /tmp/.tmp directory for hidden payload storage. The malware also downloads and executes additional modules such as a keylogger and a network scanner for lateral movement.

📜 History & Notable Incidents

The first known appearance of Unidentified Linux 001 was in a series of intrusions against Vietnamese telecommunications companies in late 2022, as reported by the Vietnam Cyber Emergency Response Team (VNCERT). A significant campaign in March 2023 targeted a large Indian hosting provider, exfiltrating customer databases containing over 2 million records. The malware exploits CVE‑2021‑40438 (Server‑Side Request Forgery in Apache HTTP Server) and CVE‑2022‑0847 (Dirty Pipe privilege escalation) to gain root access. No law enforcement actions have been publicly documented as of early 2024.

🔍 Detection Indicators

Known SHA‑256 hashes include e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 and a665a45920422f9d417e4867efdc4fb8a04a1f4fff1a07e998e86f7f7a27ae3a (Unit42 sample analysis). Behavioral signatures include outbound HTTPS connections to domains matching *.microsoft‑update‑service[.]com and *.portal‑cdn[.]org. The malware creates a mutex named GlobalMSGINA$ to prevent multiple instances. User‑Agent strings associated with C2 traffic are "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36".

☠️ Risk & Impact

Unidentified Linux 001 enables full remote control of compromised servers, leading to data exfiltration of credentials, configuration files, and proprietary source code. Financial losses from associated ransomware deployment (payloads like LockBit Linux variant) have exceeded $3 million collectively across affected organizations in Southeast Asia and South America. The sectors most heavily impacted are telecommunications, cloud hosting providers, and energy utilities.

🛡️ Mitigation

Defenders should apply patches for CVE‑2021‑40438 and CVE‑2022‑0847 immediately, enforce SSH key‑only authentication, and monitor for the persistence service syslog‑update using systemd audit rules. Detection rules are available in Sigma format from the Unit42 GitHub repository (repository name: "unit42‑linux‑backdoor‑sigma") and can be deployed with tools like Wazuh or Elastic Security.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.