{
	"id": "5f69202b-8328-4fd1-bdc8-c4de5ad45000",
	"created_at": "2026-04-10T03:21:46.529405Z",
	"updated_at": "2026-04-10T03:22:18.906964Z",
	"deleted_at": null,
	"sha1_hash": "656f08cd11d5191ee9d71e48b267e87b9be6da27",
	"title": "ELF Malware Analysis 101: Linux Threats No Longer an Afterthought",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 80764,
	"plain_text": "ELF Malware Analysis 101: Linux Threats No Longer an\r\nAfterthought\r\nBy Avigayil Mechtinger\r\nPublished: 2020-06-16 · Archived: 2026-04-10 02:46:26 UTC\r\nLinux has a large presence in the operating systems market because it’s open-sourced, free, and software\r\ndevelopment oriented—meaning its rich ecosystem provides developers easy access to many different artifacts.\r\nLinux is the predominant operating system for Web servers, IoT, supercomputers, and the public cloud workload.\r\nAlthough Linux holds only two percent of the desktop market share in comparison to the 88 percent share held by\r\nWindows, Linux desktop security should not be neglected, evidenced by our discovery of EvilGnome in July\r\n2019.\r\nLinux is practically everywhere but low Linux threat detection is pervasive across the antivirus industry,\r\nencouraging attackers to target this operating system aggressively in recent years. Researchers have disclosed\r\nhighly sophisticated ELF malware, proving attackers are increasingly adding Linux malware to their arsenal.\r\nCurrently, there aren’t enough companies hunting for and publishing IOCs and other information about the latest\r\nLinux threats. There are many undiscovered threats on this operating system and we expect more threats will be\r\nexposed over time as Linux continues to gain in popularity. It’s crucial that security researchers have the ability to\r\nanalyze and understand Linux malware as part of their evolving skillset.\r\nWe initiated this training to make practical ELF malware analysis more accessible. This multi-part series will\r\nprovide you with practical knowledge and tools for effective ELF malware analysis. You will gain a better\r\nunderstanding of the ELF format and learn how to analyze ELF files using static and dynamic methods. Also, we\r\nwill present useful analysis tools and practice malware analysis hands on. After this series you will be able to\r\nanalyze an ELF file, determine if it’s malicious, and classify the threat.\r\nBefore diving into technical ELF analysis practices, this post will serve as an introduction to the ELF malware\r\nworld. We will review the ELF threat landscape, explain how a Linux machine is initially infected with malware,\r\nand elaborate why it’s important for you as a security researcher or malware analyst to gain ELF analysis skills.\r\nThe Linux Threat Landscape\r\nThe Linux threat landscape is heavily concentrated with DDoS botnets and crypto-miners. It’s much more\r\ncomplex than that, however, home to more sophisticated threats developed by APTs and other cybercrime groups.\r\nIn 2019, our researchers documented over 20 instances of previously undiscovered Linux threats. Those threats\r\nincluded large scale crypto-mining campaigns, botnets, ransomware, and nation-state sponsored attacks.\r\nThe following Linux threats are just some of the examples that have been documented by the research community:\r\nQNAPCrypt – Ransomware campaign targeting Linux file storage servers. This campaign was later\r\nattributed by our researchers to FullofDeep, a Russian cybercrime group.\r\nhttps://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought\r\nPage 1 of 4\n\nCloud Snooper – RAT found on Linux servers by researchers at Sophos. The threat was identified\r\non Amazon Web Services EC2 instances and applied by using different tools to bypass security\r\nmeasures. Researchers believe the attack was conducted by an APT due to its toolset and\r\ncomplexity.\r\nWinnti – Backdoor tied to the Winnti Umbrella group was discovered on the systems of a German\r\npharmaceutical company named Bayer. Winnti group is a cluster of Chinese government-sponsored\r\nactivities which contain shared goals and resources including attacking tools. An in-depth research\r\non this malware was conducted by Chronicle. It’s the first Winnti Linux variant exposed in the wild.\r\nHiddenWasp – RAT targeting Linux servers. It’s composed of a rootkit, a trojan, and an initial\r\ndeployment script. At the time of discovery by our researchers, the malware was undetected despite\r\nusing code from various open-source projects such as Mirai and the Azazel rootkit. There is\r\nevidence that HiddenWasp is related to a Chinese APT.\r\nEvilGnome – Linux desktop backdoor implant with connections to Russia’s Gamaredon Group. The\r\nmalware has many functionalities including file stealing, the ability to capture desktop screenshots,\r\naudio recording, and module expansion.\r\nDacls – RAT tied to Lazarus APT group reported by 360 Netlab. Researchers found both ELF and\r\nPE versions of this malware. This is Lazarus’s first exposed Linux malware.\r\nManusCrypt – RAT tied to Lazarus group. This malware was reported mainly targeting Windows.\r\nJust recently a Linux version of this malware was found, similar to the ManusCrypt variant F PE\r\nmalware reported by the US CERT in May 2020.\r\nMESSAGETAP – Infostealer discovered by FireEye on a telecommunications company’s Linux\r\nservers. These servers operate as a Short Message Service Center (SMSC), which routed SMS\r\nmessages to recipients. The malware was designed to steal SMS traffic and it was also tied to the\r\nWinnti group.\r\nLinux threats are not just established on the risk of a malware taking advantage of a victim’s computing resources.\r\nThey also consist of harmful and intrusive malware that can cause damage to a victim’s private domains.\r\nHow does ELF Malware Infect Systems?\r\nUnlike desktops, where phishing is a common method of infection, attackers looking to infiltrate servers and IoT\r\nplatforms can’t rely on end users to install malware on their behalf. There’s no user interaction with browsers and\r\nemail accounts, which makes phishing attacks practically irrelevant in these environments. This means a\r\nmalware’s entry point to the system has to be much more targeted. Here are the main attack vectors used to infect\r\nnon-desktop Linux machines:\r\n1. Vulnerability exploit: attackers will search for exploitable and unpatched publicly faced components in\r\norder to access systems. As an example, the attacker behind the NOTROBIN backdoor exploited CVE-2019-19781, a vulnerability in Citrix NetScaler, to spread the malware. The Asnarok trojan infection was\r\ninitiated after the attacker discovered and exploited a zero-day (SQL injection remote code execution) in\r\nhttps://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought\r\nPage 2 of 4\n\nSophos XG firewalls. Misconfigured services can also serve as an entry point for attackers. Kinsing\r\nmalware was spread after the attacker took advantage of misconfigured open Docker Daemon API ports.\r\n2. Use of valid credentials: default software credentials or compromised credentials. There are different\r\nmethods in which attackers can steal passwords, including password spraying, credential stuffing, and local\r\ndiscovery. Researchers believe the Cloud Snooper infection was initiated by an attacker accessing the\r\nservers through SSH, which is protected with password authentication.\r\n3. Trusted relationships abuse: attackers can leverage entry to third party organizations that have direct\r\naccess to the victim’s systems. These organizations may have limited access to the victim’s infrastructure in\r\nwhich they maintain but can exist in the same network. For example, an attacker can breach an IT services\r\ncontractor to then target its clients after gaining valid credentials to these organizations.\r\nLinux Malware is Off the Radar\r\nIt’s not only new and sophisticated Linux malware which remain fully undetected by security vendors, but also\r\ncommon ones. Mirai is a prime example. Mirai is a DDoS botnet whose source code was released to the wild and\r\nmany botnets variants are now based on this code. All that was required for an attacker to bypass detection using\r\nthis particular Mirai sample was to make a few signature changes by obfuscating the file’s strings.\r\nThis sample was uploaded to VirusTotal in March and had zero detections. Since then, we’ve published a blog\r\npost which discusses the effectiveness of code reuse analysis vs. signature-based detection for detecting this\r\nmalware and other Linux threats. To this day, the file’s VirusTotal report lists only one detection.\r\nWhen it comes to investigating ELF malware, the current antivirus solutions are not reliable. That’s one of the\r\nreasons why it’s important to add analyzing ELF files to your skillset.\r\nIf you want to learn more about why traditional solutions do not detect ELF properly, check out this webinar\r\nprofiling the Linux threat landscape.\r\nThe Challenge with ELF File Analysis\r\nSo you have a suspicious ELF file that you want to analyze? Where do you start?\r\nThe internet is full of information about PE file analysis and there are also various easy-to-use tools and tutorials.\r\nHowever, when searching for information about ELF analysis, one can easily get lost. The shortage of relevant\r\nand unified information about analysis methodology, verdict determination, and malware evasion techniques,\r\ntogether with the lack of up-to-date open source tools can be frustrating.\r\nhttps://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought\r\nPage 3 of 4\n\nWe can list at least six publicly available sandboxes which support Windows PE files. However, currently there is\r\nno online sandbox solution available for executing ELF. The few Linux sandboxes out there—Limon, detux, and\r\nLiSa—require creating a sandbox instance and aren’t actively maintained. In this series we will present you with\r\nrelevant ELF analysis tools for performing both static and dynamic analysis.\r\nConclusion\r\nLinux is used broadly and the threat is both real and emerging. Winnti and Lazarus are just a few examples of APT\r\ngroups that have recently been documented using ELF in their malware toolset. Due to the lack of ELF malware\r\nvisibility, poor detection from security vendors, and the shortage of relevant publicly available resources about\r\nELF malware, we believe there are many unexposed Linux threats still waiting to be discovered.\r\nOur main goal in initiating this series is to unify a knowledge base and relevant tools for researchers to use when\r\nanalyzing ELF malware.\r\nComing Up\r\nIn the next article we will review the ELF format, its static artifacts, and explain how to practically leverage them\r\nin your malware analysis together with useful tools.\r\nHere’s what you’ll need for the next blog:\r\nMake sure you have a Linux virtual machine.\r\nOnce you’re set up with your Linux VM, you can read on to Part 1 here:\r\nPart 1 – Sections and Segments\r\nPart 2 – Symbols\r\nPart 3 – Relocations\r\nPart 4 – Dynamic Linking\r\nSource: https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought\r\nhttps://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought"
	],
	"report_names": [
		"elf-malware-analysis-101-linux-threats-no-longer-an-afterthought"
	],
	"threat_actors": [],
	"ts_created_at": 1775791306,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/656f08cd11d5191ee9d71e48b267e87b9be6da27.pdf",
		"text": "https://archive.orkl.eu/656f08cd11d5191ee9d71e48b267e87b9be6da27.txt",
		"img": "https://archive.orkl.eu/656f08cd11d5191ee9d71e48b267e87b9be6da27.jpg"
	}
}