Article Details

New Linux malware targets the cloud, steals creds, and then vanishes. Cloud-native, 37 plugins … an attacker's dream. A brand-new Linux malware named VoidLink targets victims' cloud infrastructure with more than 30 plugins that allow attackers to perform a range of illicit activities, from silent reconnaissance and credential theft to lateral movement and container abuse.  When VoidLink detects tampering or malware analysis on an infected machine, it can delete itself and invoke anti-forensics modules designed to remove traces of its activity. In December, Check Point Research discovered the previously unseen malware samples written in Zig for Linux and appearing to originate from a Chinese-affiliated development environment with a command-and-control interface localized for Chinese operators. The developers referred to it internally as "VoidLink," and the samples seemed to indicate an in-progress malware framework rather than a finished tool.  "The framework's intended use remains unclear, and as of this writing, no evidence of real-world infections has been observed," the research team said in a Tuesday report. "The way it is built suggests it may ultimately be positioned for commercial use, either as a product offering or as a framework developed for a customer." It's especially notable for two things. First, VoidLink is specifically designed to run in Linux-based cloud environments. After infecting a victim's machine, it scans for and detects AWS, Google Cloud Platform, Microsoft Azure, Alibaba, and Tencent, and its developers plan to add detections for Huawei, DigitalOcean, and Vultr. While malware operators have traditionally focused on Windows-based systems, VoidLink's cloud-first focus is significant. Government agencies, global enterprises, critical infrastructure and other high-value attack targets increasingly run on cloud-based services and host their most sensitive systems in the cloud - so malware that hunts for infected machines' public cloud providers is likely to reap bigger rewards for government-sponsored spies as well as financially-motivated ransomware gangs. In addition to its cloud-detection capabilities, VoidLink is notable for its custom loaders, implants, rootkits, and numerous modules that provide attackers with a whole range of stealthy, operational-security capabilities, making it "far more advanced than typical Linux malware," according to Check Point. The framework includes multiple kernel-level rootkits, and chooses which one to deploy based on the environment where it runs. VoidLink also uses the rootkits to hide its processes, files, network sockets, and the rootkit modules themselves. It uses a custom API, which the threat hunters describe as very similar to and likely inspired by Cobalt Strike's Beacon API. And it has at least 37 plugins - all of which are detailed in Check Point's analysis, so give that a read - that the developers organize by category. Some of these capabilities include: "The framework is designed for long-term access, surveillance, and data collection rather than short-term disruption," Check Point research said in a subsequent blog about VoidLink. "Its design reflects a level of planning and investment typically associated with professional threat actors rather than opportunistic attackers, raising the stakes for defenders who may never realize their infrastructure has been quietly taken over."