{
	"id": "6e298e54-bb8e-4bb8-a27d-eb94f82448cb",
	"created_at": "2026-04-06T00:11:56.094508Z",
	"updated_at": "2026-04-10T13:13:03.570207Z",
	"deleted_at": null,
	"sha1_hash": "0387a88f54f4723bc21a11394234a3caccfd5052",
	"title": "The Evolution of IoT Linux Malware Based on MITRE ATT\u0026CK TTPs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54471,
	"plain_text": "The Evolution of IoT Linux Malware Based on MITRE ATT\u0026CK\r\nTTPs\r\nBy Veronica Chierzi ( words)\r\nPublished: 2021-12-09 · Archived: 2026-04-05 22:41:06 UTC\r\nNew IoT botnet techniques\r\nDuring the observation period, we noted four new techniques added to threat actors’ arsenals. One is a newly\r\nimplemented technique in botnet families called Masquerading: Match Legitimate Name or Location\r\n(T1036.005). It is a Defense Evasion technique that likely reflect the manufacturers’ increasing interest and efforts\r\nin securing these IoT devices or appliances. The technique involves adversaries trying to match the name and\r\nlocation of legitimate and trusted programs to hide malicious executables and evade detection.\r\nAnother new technique that diverges from the more common technique being used in IoT Linux malware\r\n(Indicator Removal on Host: File Deletion (T1070.004) is File and Directory Permissions Modification: Linux\r\nand Mac File and Directory Permissions Modification (T1222.002) introduced in a malware discovered in mid-2020. We observed these additions especially in the Dark Nexusopen on a new tab malware. Most of the platforms\r\nprovide two primary commands used to manipulate file and directory ACLs: chown (change owner)\r\nand chmod (change mode).\r\nFurthermore, among the 2021 discovered families, is a variant of StealthWorker GOopen on a new tab, a malware\r\nwritten in the Golang language, where we observed the addition of the Scheduled Task/Job: Cron (T1053.003)\r\ntechnique. This is an execution tactic which also allows malware to achieve persistence in the system. This\r\nsoftware utility maintains persistence in the system by enabling an attacker to achieve time-based command\r\nexecution.\r\nDropped techniques\r\nOn the other hand, we found three techniques relating to the lateral movement tactic to have been dropped. We\r\nobserved a trend in recently discovered families that gives the responsibility for propagation back to the C\u0026C\r\nserver. In the Dark Nexus family, for example, we found that it is the C\u0026C server that takes steps to propagate the\r\nmalware. Our analysis highlighted the drop of two techniques linked to the Lateral Movement tactic, which are\r\nRemote Services (T1021) and Exploitation of Remote Services (T1210). In relation to this, the technique for the\r\ndiscovery of network information, System Network Configuration Discovery (T1016), is also no longer enforced.\r\nUncommon techniques\r\nAdditionally, we noticed that IoT Linux malware authors are not interested in stealing data. In our data set, there is\r\nonly one malware (QSnatchopen on a new tab) that implements typical tactics for data leakages, such as collection\r\nand exfiltration. Moreover, we also found that privilege escalation is not among the interests of IoT malware\r\nauthors. It is likely because, from a malware author’s standpoint, the benefits of executing malware that require\r\nhttps://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att\u0026ck-ttps.html\r\nPage 1 of 3\n\nhigher privileges are not worth the effort of implementation. Furthermore, the default accounts on targeted devices\r\nusually already come with all the privileges needed to run programs, write to the filesystem, and establish new\r\nconnections.\r\nDifferences between ransomware and botnet malware\r\nThe characterization through the ATT\u0026CK matrix also allowed us to compare different malware classes that target\r\nIoT devices which in our data set are ransomware and botnet families.\r\nThe findings highlight some common techniques, such as the Credential Access methodology where Brute Force:\r\nPassword Guessing (T1110.001) is the most common technique that both malware classes fall under. This finding\r\nis not a surprise since it is common to find default usernames and passwords still being used in these kinds of\r\ndevices. Usually, users are not aware of the risks of exposing IoT devices to the internet. Indeed, many devices are\r\nstill installed without changing the default credentials or securing remote access.\r\nAnother common capability for both classes is External Remote Services (T1133) from the Initial Access Tactic,\r\nwhich confirms unsecured and exposed internet services, such as Telnet and SSH. This technique allows attackers\r\nto exploit external-facing remote services to initially access and/or persist within a network; they also often use\r\nexposed services that do not require authentication.\r\nAnother similarity is in the two classes’ Command and Control implementation, as both implement Application\r\nLayer Protocol: Web protocol (T1071.001). This is likely because the market for malware-as-a-service is growing.\r\nThus, having a simple UI that the “customers” or other threat actors can use to control the malware is an important\r\naspect.\r\nBy comparing the number of unique TTPs implemented, we studied the implementation variations among\r\ndifferent malware families and noticed that while different ransomware families share many common techniques,\r\nbotnets tend to innovate more and implement a variety of different TTPs to exploit many services. This may be\r\nbecause detection of botnet malware is more mature, so they require more frequent changes to avoid being easily\r\ndetected. These differences are illustrated in Figure 2.\r\nConclusion\r\nAs the number of connected devices grow, linked threats also increase. Knowing the evolution of malware that\r\ntargets IoT devices is fundamental to implementing effective countermeasures and defenses.\r\nWe saw how IoT malware has been slowly developing over the years. Botnet threats, in particular, is an active\r\nfield where capabilities are being added and removed, reflecting not only the behavior of threat actors but also the\r\ndefenses being implemented in these devices. The MITRE ATT\u0026CK framework helps create a standardized way\r\nof listing down techniques and characterizing threats found today. It is easy to see how the awareness of common\r\nTTPs can help organizations and users better protect their devices and networks. For example, our findings further\r\nstress the importance of changing default passwords in all connected devices.\r\nOrganizations and users can also consider these steps to secure their devices:\r\nhttps://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att\u0026ck-ttps.html\r\nPage 2 of 3\n\nManage vulnerabilities and apply patches as soon as possible. Applying patches as soon as they are\r\nreleased can reduce the chances for potential exploits.\r\nUse secure configurations. A secure device configuration narrows openings for compromise or remote\r\nattacks.\r\nUse strong, hard-to-guess passwords. Aside from changing default passwords, users can circumvent brute\r\nforce techniques by using strong passwords and enabling two-factor authentication if it is an option.\r\nSource: https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att\u0026ck-ttps.html\r\nhttps://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att\u0026ck-ttps.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att\u0026ck-ttps.html"
	],
	"report_names": [
		"the-evolution-of-iot-linux-malware-based-on-mitre-att\u0026ck-ttps.html"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434316,
	"ts_updated_at": 1775826783,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0387a88f54f4723bc21a11394234a3caccfd5052.pdf",
		"text": "https://archive.orkl.eu/0387a88f54f4723bc21a11394234a3caccfd5052.txt",
		"img": "https://archive.orkl.eu/0387a88f54f4723bc21a11394234a3caccfd5052.jpg"
	}
}