Russian Cyberespionage Group Uses Linux Trojan

A Russian cyberespionage group known as Pawn Storm have been targeting and infecting Linux systems with a simple yet effective Trojan program that does not require highly privileged access.

Also known as Sofacy or Sednit, Pawn Storm is a group of attackers that are known to be active for at least 9 years. From the time of their advent and over the years, the cyberespionage group have scaled up in their operations and targets.

Governmental, security and military organizations belonging to NATO member countries have all been targets of the cyberespionage group. So too, are defense contractors and media organizations, as well as critics of the Russian state and Kremlin. The recent Ukraine conflict also sees their scanner fall on political activists in Ukraine.

Known for using zero-day exploits, the group also indulge in spear-phishing emails that come laced with malicious attachments. The group’s primary tool of operation is a backdoor program compatible on Windows called Sednit. However, that does not keep the group from using malware programs optimized for Mac OS X and Linux. Even mobile operating systems such as iOS and Android are also targeted.

Linux Malware

For Linux machines, the group uses a tool called Fysbis, according to security firm Palo Alto Networks. The program is based off a modular structure. This in-turn allows attackers to expand their scope of a payload onto targeted computers via plug-ins.

“Fysbis is a modular Linux trojan / backdoor that implements plug-in and controller modules as distinct classes,” Palo Alto researchers explained.

Initially designed for data theft as a cyberespionage tool, Fysbis can gain access to sensitive documents on a targeted user’s computer despite not having the means to gain control to the entire system.

With such capabilities, Fysbis fundamentally reveals that Advanced Persistent Threat (APT) actors can often get away with simpler methods to reach their objectives.

Additionally, Fysbis’s methods of an exploit also dispels the common notion that Linux inherently employs a high security infrastructure.

Palo Alto’s blog revealed:

Despite the lingering belief (and false sense of security) that Linux inherently yields higher degrees of protection from malicious actors, Linux malware and vulnerabilities do exist and are in use by advanced adversaries.

Image credit: Pixabay.