Okusha Uhlaka lwe-malware lwe-Linux oluklanyelwe kusukela phansi ukuze lusetshenziswe efwini, abhapathizwe njengo I-VoidLinkIdonsela ukunaka kwabahlaziyi bezokuphepha ngenxa yezinga layo lobuchwepheshe, elifana ne- I-malware ye-Linux efihlakala kusetshenziswa io_uring futhi kusobala ukuthi igxile ezingqalasizinda zesimanje. Leli thuluzi, elaqala ukutholwa ngasekupheleni kuka-2025, alifani nemindeni yendabuko ye-malware: lisebenza njengepulatifomu ephelele yangemva kokuxhashazwa, eyenzelwe ukusebenza isikhathi eside ngaphandle kokuphakamisa izinsolo.
Ucwaningo olwenziwe yizinkampani ezifana ne-Check Point Research Bakhomba ukuthi i-VoidLink Kusesesigabeni sokuthuthuka esisebenzayo Kubonakala sengathi ihloselwe ukusetshenziswa kwezentengiselwano noma amakhasimende athile kakhulu, kunokuba kube yimikhankaso emikhulu. Nakuba kungekho ukutheleleka kwangempela okuqinisekisiwe kuze kube manje, imibhalo etholakalayo, ububanzi bamamojula, kanye nekhwalithi yekhodi kuyibeka phakathi kwezinsongo ze-Linux ezithuthuke kakhulu ezihlaziywe eminyakeni yamuva, ngokuhambisana nezehlakalo zangaphambilini ezifana nokuhlaselwa kwe-supply chain.
I-VoidLink: uhlaka lwe-malware oluklanyelwe ifu neziqukathi
I-VoidLink iziveza njenge- ukusetshenziswa kwe-cloud-first kwezinhlelo ze-LinuxYakhelwe ukusebenza ngokuzinzile ezingqalasizinda ezisekelwe efwini nasezindaweni zeziqukathi, lolu hlaka luhlanganisa ama-loaders enziwe ngokwezifiso, ama-implants, izingxenye ezifana ne-rootkit, kanye nohlu olubanzi lwama-plugins avumela opharetha ukuthi balungise amakhono abo ngokuya ngenhloso ngayinye kanye nesigaba sokusebenza.
Ingqikithi yesikhulumi yakhelwe ngokuyinhloko ku- izilimi ezifana ne-Zig, Go, kanye ne-CLokhu kwenza kube lula ukuphatheka kwayo kanye nokusebenza kwayo kuzo zonke izabelo eziningi. Ukwakheka kwangaphakathi kuzungeze i-plugin API eyimfihlo, ephefumulelwe izindlela ezifana ne-Cobalt Strike's Beacon Object Files, evumela ukulayisha amamojula kwimemori nokwandisa ukusebenza ngaphandle kwesidingo sokufaka ama-binary amasha isikhathi ngasinye.
Ngokusho kokuhlaziywa kobuchwepheshe, ukwakheka kwe-modular kwenza ukusebenza kwe-VoidLink kube nokwenzeka. ibuyekeziwe noma iguquliwe 'ngokushesha'Ukwengeza noma ukususa amakhono ngokwezidingo zomsebenzi: kusukela emisebenzini elula yokuhlola kuya emisebenzini eqhubekayo yobunhloli noma ukuhlaselwa okungenzeka kuchungechunge lokuhlinzeka.
Ukutholwa okuhlakaniphile kwabahlinzeki bamafu nezindawo ezizungezile
Elinye lamaphuzu akhathaza kakhulu ochwepheshe yikhono le-VoidLink lokwenza kanjalo. thola indawo lapho isebenza khonaI-implant ihlola ukuthi ingaphakathi kwesitsha se-Docker noma i-Kubernetes pod, futhi ibuza nge-instance metadata ukuze inqume umhlinzeki wefu ongaphansi.
Izinsizakalo eziqashelwa uhlaka zifaka: I-Amazon Web Services (AWS), i-Google Cloud Platform (GCP), i-Microsoft Azure, i-Alibaba Cloud kanye ne-Tencent CloudNjengoba izinhlelo sezivele zibonakala kukhodi yokwengeza ukuhambisana nabanye abahlinzeki njengeHuawei Cloud, DigitalOcean, noma iVultr, ivumelanisa ukuziphatha kwayo kanye namamojula ewasebenzisayo ngokusekelwe kulokho ekutholayo ukuze inciphise ukuvezwa.
Leli khono lokufaka iphrofayili liphinde lifinyelele ohlelweni lomsingathi: VoidLink Iqoqa ulwazi oluningiliziwe mayelana ne-kernel, i-hypervisor, izinqubo, kanye nesimo senethiwekhi.Iphinde ihlole ukuthi ikhona yini izixazululo ze-Endpoint Detection and Response (EDR), izindlela zokuqinisa i-kernel, kanye namathuluzi okuqapha angase aveze umsebenzi wayo, yingakho kunconywa ukuthi kusetshenziswe amathuluzi okuskena ama-rootkit ekuhlaziyweni kwezomthetho.
Ukwakhiwa kwesakhiwo se-modular kanye nesistimu ye-plugin ye-VoidLink
Ingqikithi yohlaka i- i-orchestrator ephakathi ephatha ukuxhumana komyalo nokulawula (C2) futhi isabalalisa imisebenzi kumamojula ahlukene. Ama-plugin amaningi, alayishwe ngqo kwimemori futhi asetshenziswe njengezinto ze-ELF ezisebenzisana ne-API yangaphakathi ngokusebenzisa izingcingo zesistimu, athembele kulo mgogodla.
Izinguqulo zihlaziye ukusetshenziswa phakathi kwama-plugin angu-35 no-37 ngokuzenzakalelayoLezi zici zihlelwe ngezigaba ezifana nokuhlola, ukunyakaza okuseceleni, ukuphikelela, ukulwa nokuphenya, ukuphathwa kwesitsha kanye nefu, kanye nokwebiwa kweziqinisekiso. Lesi sakhiwo senza i-VoidLink ibe yipulatifomu yangempela yangemva kokuxhashazwa kwe-Linux, ngokuhambisana namathuluzi ochwepheshe asetshenziswa ekuhlolweni kokungena.
Ukukhetha uhlelo lwe-plugin olusememori, kanye nokungabikho kwesidingo sokubhala ama-binary amasha kudiski ukuze wengeze amakhono, kuvumela kunciphisa kakhulu ukusabalala kwamaqembu azinikele futhi kwenza umsebenzi wabahlaziyi bezobunhloli kanye nezixazululo zokuthola ezisekelwe kumafayela ube nzima.
Iphaneli yewebhu yokulawula kude nokudalwa kokwakha
Abaqhubi be-VoidLink bane- iphaneli yokulawula efinyeleleka kuwebhuYakhiwe kusetshenziswa ubuchwepheshe besimanje njengeReact, le khonsoli ivumela abasebenzisi ukuphatha yonke impilo yokungena. Ibhalwe ngesiShayina, ivumela ukudalwa kwezinguqulo ezenziwe ngokwezifiso ze-implant, ukwabiwa kwemisebenzi, ukulayishwa nokulandwa kwama-plugin, kanye nokuphathwa kwamafayela ezinhlelweni ezisengozini.
Ngaleli phaneli, abahlaseli bangakwazi ukuhlela izigaba ezahlukene zokuhlaselaUkuhlola kokuqala kwendawo ezungezile, ukusungula ukuphikelela, ukunyakaza okuseceleni phakathi kwemishini, ukusetshenziswa kwamasu okubalekela, kanye nokususa iminonjana. Iphaneli ihlanganisa izinketho zokushintsha amapharamitha okusebenza ngokushesha, njengezikhawu zokuxhumana, izinga eliyimfihlo, noma izindlela zokuxhuma engqalasizinda yomyalo.
Le ndlela, eseduze nomkhiqizo wezohwebo kune-malware elula eyenzeka kanye kuphela, iqinisa umbono wokuthi i-VoidLink Kunganikezwa njengesevisi noma njengohlaka oludingekayo., esikhundleni sokuba ithuluzi lokusetshenziswa kweqembu elilodwa kuphela.
I-VoidLink isebenzisa iziteshi eziningi zomyalo nokulawula
Ukuze kuxhunyanwe nengqalasizinda yabahlaseli, i-VoidLink isebenzisa amaphrothokholi amaningana e-C2Lokhu kunikeza ukuguquguquka kokuzivumelanisa nezimo ezahlukene zenethiwekhi kanye namazinga okuqapha. Iziteshi ezisekelwayo zifaka phakathi i-HTTP ne-HTTPS yendabuko, i-WebSocket, i-ICMP, ngisho nemigudu engaphezu kwe-DNS.
Phezu kwalezi zinqubo ezivamile kubekwe ungqimba lokubethela kwalo, olwaziwa ngokuthi "I-VoidStream"Yakhelwe ukufihla ithrafikhi nokwenza ifane nezicelo zewebhu ezisemthethweni noma izingcingo ze-API, lokhu kufiphaza kwenza kube nzima ngezixazululo zokuphepha ezisekelwe kuthrafikhi ukuthola amaphethini angajwayelekile ngamasignesha alula.
Ngenxa yalokhu kuguquguquka, opharetha bangakhetha ukucushwa kokuxhumana okucashile kakhudlwanangokwandisa izikhawu zokukhanyisa noma ukusebenzisa iziteshi ezingavamile njenge-ICMP lapho indawo inendawo yokulawula inethiwekhi eqinile.
Ama-Rootkit kanye namasu okufihla athuthukile
I-VoidLink ifaka amamojula amaningana ane- imisebenzi ye-rootkit evumelaniswe ne-Linux kernel esebenza emshinini ophazamisekile. Kuye ngenguqulo kanye namakhono atholakalayo, ingasebenzisa amasu ahlukene ukufihla umsebenzi wayo: ukujova nge-LD_PRELOAD, amamojula e-kernel alayishwayo (LKM), noma ama-rootkit asekelwe ku-eBPF, njengoba kubonakala ezinsongweni zakamuva ezifana nokuthi i-rotajakiro, efihliwe njenge-systemd.
Lezi zingxenye zivumela fihla izinqubo, amafayela, amasokhethi enethiwekhi, ngisho ne-rootkit uqoboukunciphisa izimpawu ezibonakalayo zabaphathi namathuluzi okuqapha. Imojula efanele ikhethwa ngemva kokuhlaziya izici zesistimu, okwenza ngcono kokubili ukuhambisana nokusebenza.
Ngokuhlanganisa lawa masu nohlelo lokulayisha olusememori kanye nekhono lokusebenza ezindaweni zeziqukathi, uhlaka Iyakwazi ukugcina ubukhona obuyimfihlo kakhulu.ngisho nakumaseva anezinga eliphezulu lomsebenzi noma izinhlelo zokusebenza eziningi ezisebenza ngesikhathi esisodwa.
Ama-plugin e-VoidLink okuqashelwa, ukuphikelela, kanye nokunyakaza okuseceleni
Ngaphakathi kwekhathalogi ebanzi yama-plugin, lawo agxile kuwo ayagqama. ukuhlolwa kwemvelo kanye nokuqoqwa kolwaziLawa mamojula athola idatha mayelana nabasebenzisi, izinqubo ezisebenzayo, i-topology yenethiwekhi, izinsizakalo eziveziwe, kanye nezici zeziqukathi kanye nabahleli abakhona.
Amanye ama-plugin ahloselwe Ukugcina ukuqhubeka kwezinhlelo ze-LinuxLokhu kuhilela ukusebenzisa izindlela ezisukela ekusetshenzisweni kabi kwe-dynamic loader kuya ekudaleni imisebenzi ye-cron ehleliwe noma ukuguqula izinsizakalo zesistimu. Ngalezi zindlela, i-implant ingasinda ekuqalisweni kabusha kanye nezinguquko zokucushwa ezilinganiselayo ngaphandle kokudinga ukungena okwengeziwe.
Ngokuphathelene nokunyakaza okuseceleni, i-VoidLink ifaka phakathi amathuluzi okusakaza nge-SSHLeli khono livumela ukudalwa kwemigudu, ukudluliselwa kwamachweba, kanye nokusungulwa kwamagobolondo akude alula ukuxhumana okungenamthungo phakathi kwemishini. Leli khono libaluleke kakhulu ezingqalasizinda zaseYurophu ezinezakhiwo ze-microservices, lapho ama-node amaningi axhunywe nge-SSH kanye namanethiwekhi angaphakathi avamile.
Ukwebiwa kweziqinisekiso kanye nokugxila kubathuthukisi
Ingxenye ebalulekile yohlaka inikezelwe ku ukukhishwa kweziqinisekiso nezimfihloLokhu kufaka phakathi idatha evela kumasevisi efu kanye namathuluzi asetshenziswa nsuku zonke amaqembu okuthuthukisa nokusebenza. Ama-plugin okuqoqa angathola okhiye be-SSH, iziqinisekiso ze-Git, amathokheni okufinyelela, okhiye be-API, amaphasiwedi endawo, ngisho nedatha egcinwe iziphequluli zewebhu.
Lesi siqondiso sihlose ukuqinisekisa ukuthi opharetha be-VoidLink banazo inhloso ebalulekile yabathuthukisi, abaphathi bezinhlelo kanye nabasebenzi be-DevOpsUkufinyelela okuvame ukunikeza ukufinyelela ezindaweni zokugcina amakhodi ezibalulekile kanye namadeshibhodi okuphatha. Ngokombono waseYurophu, lolu hlobo losongo luhambisana nezimo zobunhloli bezimboni noma ukulungiselela ukuhlaselwa kweketanga lokuhlinzekwa kwesofthiwe.
Ngaphezu kwama-plugin okuqinisekisa, uhlaka luhlinzeka amamojula athile e-Kubernetes kanye ne-DockerLawa mathuluzi ayakwazi ukubala amaqoqo, ukubona ukungalungiselelwa kahle, ukuzama ukuphuma kweziqukathi, nokufuna izimvume eziningi. Ngale ndlela, ukufinyelela okulinganiselwe ekuqaleni kungaphenduka kube ukulawula okubanzi kakhulu endaweni yamafu yenhlangano.
Izindlela zokulwa nokucwaswa kwezomthetho kanye nokugwema okuzenzakalelayo
I-VoidLink ayifuni nje kuphela ukungena ngaphakathi, kodwa futhi ifuna nokungena ngaphakathi. sula umkhondo wezenzo zaboAma-plugin ayo alwa nobugebengu ahlanganisa imisebenzi yokuhlela noma yokususa okufakiwe kwelogi, ukuhlanza umlando wegobolondo, kanye nokulawula izitembu zesikhathi zamafayela (i-timestomping), okwenza ukuhlaziya okulandelayo kwalokho okwenzekile kube nzima kakhulu.
I-implant ihlanganisa futhi izindlela zokuvikela ukuhlaziywa nokuhlanzaIngakwazi ukubona ukuthi kukhona abalungisi bezinkinga kanye namathuluzi okuqapha athuthukile, ihlole ubuqotho bekhodi yayo, futhi ithole ama-hook angaba khona abonisa ukuthi iyaqashwa. Uma ibona izimpawu zokuphazanyiswa, ingazibhubhisa futhi iqalise imikhuba yokuhlanza esusa amafayela kanye nezimpawu zomsebenzi wayo.
Esinye isici esiphawuleka kakhulu ukusetshenziswa ikhodi eziguqula ngokwayo ngokubethela kwesikhathi sokusebenzaIzingxenye ezithile zohlelo ziyasuswa ekubhaleni kuphela uma kudingeka futhi ziphinde zibhalwe phansi uma zingasetshenziswa, okwenza umsebenzi wezixazululo zokuhlaziya inkumbulo ube nzima futhi kuncishiswe ifasitela lapho okuqukethwe okunonya kubonakala khona kumbhalo ocacile.
Ukuhlolwa kwengozi okusekelwe ezivikelweni ezifakiwe
Uhlaka lusebenza ukuqoshwa okuphelele kwendawo yokuphepha kumshini ngamunye othintekile. Ibala imikhiqizo yokuvikela efakiwe, ubuchwepheshe bokuqinisa i-kernel, kanye nezinyathelo zokuqapha, futhi kusukela kulolo lwazi kubalwa uhlobo lwesilinganiso sengozi esiqondisa ukuziphatha kwayo.
Uma ithola ukuthi uhlelo luvikelwe kakhulu, i-VoidLink ingakwazi yehlisa ijubane lemisebenzi ethilenjengokuskena kwe-port noma ukuxhumana neseva ye-C2, bese ukhetha amasu anomsindo omncane. Ezindaweni ezibhekwa njengengozi ephansi, uhlaka lungasebenza ngamandla kakhulu, lubeka phambili isivinini kunesinyenyela esiphelele.
Leli khono lokuzivumelanisa nezimo lihambisana ngokuzenzakalelayo nomgomo oshiwoyo we zenze imisebenzi yokugwema ibe ngokuzenzakalelayo ngangokunokwenzekaokuvumela opharetha ukuthi bachithe isikhathi esiningi benquma ngezinhloso kanye nesikhathi esincane sokulungisa mathupha imingcele yezobuchwepheshe yendawo ngayinye ethile.
Umsuka we-VoidLink kanye nokunikezwa kwephrojekthi
Ubufakazi obuqoqwe ngabahlaziyi bubonisa ukuthi Kubikwa ukuthi iVoidLink yathuthukiswa yithimba elikhuluma isiShayinaIndawo yesikhombikubona sephaneli yewebhu, amazwana athile kukhodi, kanye nokulungiswa okubonwe kukhomba kulolo hlangothi, yize, njengoba kuvamile kulolu hlobo locwaningo, akuyona into eqondile.
Ikhwalithi yentuthuko, ukusetshenziswa kwezilimi eziningi zesimanje, kanye nokuhlanganiswa kwezinhlaka zewebhu zamanje kusikisela Izinga eliphezulu lolwazi lokuhlela kanye nolwazi olujulile ngobunzima bezinhlelo zokusebenzaKonke lokhu kuqinisa umqondo wokuthi iphrojekthi idlula ukuhlolwa okuhlukile futhi isondela epulatifomu yobungcweti egcinwa isikhathi eside.
Ngesikhathi esifanayo, iqiniso lokuthi azikabhalwa phansi imikhankaso yokutheleleka esebenzayo enkulu Lokhu kusekela umbono wokuthi uhlaka lusesigabeni sokuhlola, lunikezwa ngaphansi kwamamodeli okufinyelela anqunyelwe kakhulu, noma lusetshenziswa kuphela emisebenzini eqondiswe kakhulu, okwenza kube nzima ukuyithola eYurophu nakwezinye izifunda.
Ukuvela kweVoidLink kuqinisekisa lokho Ubuchwepheshe bokuhlonza i-malware eqondiswe ku-Linux nasezindaweni zamafu buthuthuka ngokushesha.Isondela ezingeni lamamodeli avuthiwe ayebonakala kakhulu kumathuluzi okuhlasela e-Windows kuze kube muva nje. Ukwakhiwa kwayo kwe-modular, ukugcizelela ekugwemeni okuzenzakalelayo, kanye nokugxila ezitifiketini naseziqukathini kwenza kube usongo lokuthi noma iyiphi inhlangano enengqalasizinda esekelwe efwini, kokubili eSpain nakwamanye amazwe aseYurophu, kumele iluthathe ngokungathi sÃna kakhulu.
