Full Report
A new Linux malware named Koske may have been developed with artificial intelligence and is using seemingly benign JPEG images of panda bears to deploy malware directly into system memory. [...]
Analysis Summary
# Tool/Technique: Koske Linux Malware
## Overview
Koske is a sophisticated, C-based rootkit primarily targeting Linux systems. Its core functionality centers on stealth, persistence, and utilizing compromised hosts for cryptomining diverse cryptocurrencies. A unique feature involves blending itself within image files, specifically mentioning hiding within "cute panda images."
## Technical Details
- Type: Malware family (Rootkit/Cryptominer)
- Platform: Linux
- Capabilities: Process/file hiding via rootkit techniques, automated cryptomining for multiple coins, adaptive C2 fallback, system capability assessment (CPU/GPU check).
- First Seen: Not explicitly provided in the text.
## MITRE ATT&CK Mapping
*Note: Specific TIDs are inferred based on described behavior, as the article does not explicitly map them.*
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Persistence mechanisms are established after initial deployment.
- **TA0005 - Defense Evasion**
- T1036 - Obfuscated Files or Information
- T1036.005 - Match Legitimate Name or Location (Implied by hiding within images)
- T1057 - Process Discovery
- T1057.002 - System/User Process Discovery (Bypassed via process hiding)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Used for downloading miners)
- **TA0008 - Lateral Movement / TA0010 - Exfiltration (Implied Goal: Resource Hijacking)**
- T1496 - Resource Hijacking (Cryptomining)
## Functionality
### Core Capabilities
- **Rootkit Functionality:** Implemented in C, compiled in memory for stealth.
- **Process/File Hiding:** Utilizes `LD_PRELOAD` to override the `readdir()` system call, effectively hiding malware processes, files, and directories from user-space monitoring tools.
- **Malware Targeting:** Hides artifacts associated with strings like "koske" or "hideproc," and reads hidden PIDs from `/dev/shm/.hiddenpid`.
- **Cryptomining:** Downloads cryptominers from GitHub after achieving persistence.
### Advanced Features
- **Adaptive Mining:** Evaluates the host's CPU and GPU to select the most efficient miner.
- **Multi-Coin Support:** Supports mining for at least 18 different coins, including Monero, Ravencoin, Zano, Nexa, and Tari.
- **Automated Fallback:** Automatically switches to a backup mining coin or pool if the primary targets become unavailable.
- **Steganography (Initial Infection):** Hides within image files (specifically mentioned: "cute panda images").
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: [Not provided, potential filenames related to mining binaries]
- Registry Keys: [Not applicable for standard Linux installations, persistence mechanisms likely involve startup scripts or cron jobs]
- Network Indicators: [C2 download/mining pool domains not specified; mention of downloading from GitHub]
- Behavioral Indicators:
- Use of `LD_PRELOAD` to hook standard system libraries.
- Attempts to read or access files in `/dev/shm/.hiddenpid`.
- System resource utilization (high CPU/GPU load) associated with cryptocurrency mining processes.
## Associated Threat Actors
- Not explicitly named in the provided excerpt, but the description labels it as "AI-powered malware," suggesting advanced development efforts.
## Detection Methods
- Signature-based detection: [Not provided]
- Behavioral detection: Monitoring for unauthorized use of `LD_PRELOAD` or execution of dynamic libraries to hook system calls like `readdir()`. Detecting sudden, unexplained CPU/GPU load consistent with cryptomining.
- YARA rules: [Not provided]
## Mitigation Strategies
- Prevention measures: Robust host-based intrusion detection systems capable of monitoring system call hooking.
- Hardening recommendations: Adhering to Linux security best practices; restricting library preloading where possible.
- Specific Mitigation: Since it uses `LD_PRELOAD` to hook `readdir()`, strong runtime monitoring tools or kernel-level security mechanisms that detect unauthorized library injection are critical.
## Related Tools/Techniques
- Other Linux rootkits that utilize dynamic library preloading.
- Known Linux cryptojacking malware families.
- **LD_PRELOAD:** The technique used for primary defense evasion.