The Fidelis Threat Research team is comprised of expert security researchers whose sole focus is generating accurate and actionable intelligence to better secure customers. Together, they represent over... Read More
In the summer of 2015, Fidelis Cybersecurity had the opportunity to analyze a Derusbi malware sample used as part of a campaign we’ve labeled Turbo, for the associated kernel module that was deployed. Derusbi has been widely covered and associated with Chinese threat actors. This malware has been reported to have been used in high-profile incidents like the ones involvingWellpoint/Anthem, USIS and Mitsubishi Heavy Industries. These incidents have ranged from simple targeting to reported breaches. Every one of these campaigns involved a Windows version of Derusbi.
While we’ve analyzed many common variants of Derusbi, this one got our attention because this is a 64-bit Linux variant of Derusbi, the only such sample we have observed in our datasets as well as in public repositories. To our knowledge, no analysis of such malware has been made publicly available.
A number of anti-forensics techniques must be bypassed in order to determine the true capabilities of this sample. Two techniques used to hamper forensic analysis include the ability to run as a memory-resident memory module to prevent file-based detection of the Linux Kernel Module on the localhost and the ability to cleanly remove it from disk.
This 64-bit Linux variant of Derusbi shares many of the common capabilities provided by a typical remote access tool, including directory and file operations, command execution and remote access. Additionally, obfuscation capabilities, such as timestomping and process hiding, make this sample even more interesting and difficult to analyze.
It is important to note that it would take significant effort to replicate the capabilities of the Windows version into the Linux version. This indicates an investment by the adversary to gain additional footholds within a victim’s infrastructure. By adding 64-bit Linux servers and clients to their target list it is evident that advanced threat actors continue to add to their capabilities. Enterprises worldwide have been investing in Windows-based detection and remediation platforms for many years now. Linux is widely used in the datacenter and for hosting critical applications and databases. The use of such malware instantly bypasses entire classes of commercial, Windows-only security products, thus opening up significant new exposures for enterprises.