Researchers have discovered a never-before-seen framework that infects Linux machines with a wide range of modules that are notable for the range of advanced capabilities they provide to attackers.
The framework, called VoidLink by its source code, has more than 30 modules that can be used to customize capabilities for each infected machine to meet the attackers’ needs. These modules can provide additional stealth and specialized tools for reconnaissance, privilege escalation, and lateral movement inside a compromised network. Components can be easily added or removed as objectives change during a campaign.
Focus on Linux inside the cloud
VoidLink can target machines within popular cloud services by detecting if an infected machine is hosted inside AWS, GCP, Azure, Alibaba, and Tencent, and there are indications that developers plan to add detection for Huawei, DigitalOcean, and Vultr in future releases. To find out which cloud service hosts the machine, VoidLink examines the metadata using the respective vendor’s API.
Similar frameworks targeting Windows Server have flourished for years. They are less common on Linux machines. The feature set is unusually broad and “far more advanced than typical Linux malware,” said researchers at Checkpoint, the security firm that discovered VoidLink. Its creation may indicate that attacker focus is increasingly expanding to include Linux systems, cloud infrastructure, and application deployment environments, as organizations increasingly shift workloads to these environments.
“VoidLink is a comprehensive ecosystem specifically designed to maintain long-term, covert access to compromised Linux systems running in public cloud platforms and containerized environments,” the researchers said in a separate post. “Its design reflects the level of planning and investment typically associated with professional threat actors rather than opportunistic attackers, increasing the risk to defenders who may never realize their infrastructure has been quietly taken over.”
<a href