Linux Malware in 2024: Perfctl, WolfsBane, FireWood, and the Rising Threat

For years, many have believed that Linux systems are less prone to attacks compared to other platforms. But recent developments paint a different picture. In 2023, a TechJury report revealed that over 1.9 million Linux threats were detected in the previous year – a staggering 50% year-over-year increase. Meanwhile, another study found a 62% rise in Linux ransomware attack attempts between Q1 2022 and Q1 2023. This escalation has continued into 2024.

In this blog post, we examine why attackers are increasingly setting their sights on Linux and highlight three evasive Linux malware strains that made headlines in 2024: the stealthy Perfctl, and the Linux backdoors WolfsBane and FireWood.

Why malicious actors are turning their attention to Linux

Linux systems are becoming increasingly attractive to threat actors, because Linux is now too valuable to ignore. Here’s why:

1. Widespread adoption in modern IT infrastructure

Linux powers vast portions of today’s infrastructure and is crucial to the business operations of countless organisations. It dominates cloud computing, powers enterprise servers, and is integral to IoT devices and industrial control systems. More recently, it has become the preferred operating system for AI workloads. Major AI frameworks such as TensorFlow and PyTorch are optimised for Linux, and cloud providers rely on Linux servers to support high-performance computing (HPC) and GPU-intensive tasks. The more pervasive Linux becomes, the greater the attack surface for adversaries, who are tailoring malware to these ecosystems.

2. Perception of security: a double-edged sword

Unlike Windows, which has long been the primary focus of cybersecurity efforts, Linux has historically been viewed as “more secure”. While Linux does have strong security mechanisms, this perception has led many organisations to underinvest in dedicated security solutions, leaving their Linux environments underprotected. Malicious actors are aware of this and they are exploiting these blind spots in security monitoring and detection mechanisms.

3. Advances in Windows security are pushing attackers elsewhere

Microsoft is improving Windows security with features like kernel-level protections, advanced Endpoint Detection and Response (EDR) solutions, and the Secure Future Initiative. As Windows becomes harder to exploit, malicious actors are shifting their focus to Linux, where security solutions are often less mature and defences are more fragmented.

4. High-value targets rely on Linux-based workloads

Many critical business systems now run on Linux, including databases, cloud-based services, and enterprise applications. Compromising these systems can give attackers access to customer data, financial records, cloud management credentials, and intellectual property, making them lucrative targets for financially motivated cybercriminals and nation-state actors.

With attackers refining their methods and Linux becoming an increasingly appealing target, organisations must be prepared. The following sections explore three evasive Linux malware strains discovered in 2024: Perfctl, WolfsBane, and FireWood. Understanding how these threats operate can help security teams assess their current security strategies and take the necessary steps to ensure their environments are adequately protected against Linux-targeted cyber attacks.

Evasive Linux malware observed in the wild in 2024

Recent discoveries reveal that adversaries are not only increasing their focus on Linux but also deploying advanced evasion techniques, making their malware harder to detect and remove. Three names stood out in 2024: Perfctl, WolfsBane, and FireWood.

Perfctl: A stealthy malware putting Linux servers at risk

Overview: What is Perfctl?

Perfctl is a sophisticated malware targeting Linux systems that was discovered in October 2024. Though active for several years, it remained largely undetected due to its advanced evasion techniques. Perfctl appears to exploit over 20,000 types of misconfigurations and vulnerabilities in Linux systems to gain initial access. Focused on evasion and persistence, Perfctl is a versatile threat capable of serving as a loader, proxy, and cryptominer.

Evasion techniques: How Perfctl evades detection

• Rootkit deployment: Perfctl drops a rootkit, using LD_PRELOAD attacks to load itself before other libraries, to hide its presence on compromised systems.
• Userland rootkits: It also replaces common Linux utilities like ldd, top, crontab, and lsof with modified versions, effectively acting as userland rootkits.
• Process masquerading: The malware copies itself to multiple locations with innocuous names to blend with legitimate system processes.
• Activity suspension: It stops all "noisy" activities when a user logs in, remaining dormant until the server is idle again.
• Binary manipulation: All binaries are packed, stripped, and obfuscated to bypass defence mechanisms and hinder reverse engineering attempts.
• Communication obfuscation: It uses TOR for external command-and-control communications to ensure threat operators’ anonymity and make network traffic indecipherable and hard-to-trace.

Real-world implications: The impact of Perfctl

• Widespread infection: According to reports, Perfctl has likely infected thousands of Linux servers, with millions more potentially at risk.
• Resource hijacking: Infected systems can be used for unauthorised cryptominers and proxyjacking, leading to increased power consumption and reduced performance.
• Data security risks: The malware possesses credential harvesting and keylogging capabilities, enabling it to capture sensitive information, and creates a backdoor on infected servers, facilitating unauthorised access and data exfiltration.
• Persistence: Removing Perfctl is challenging, as it uses mechanisms to ensure persistence, even after primary payloads are detected and removed.

Detection and mitigation

• Keep all Linux operating system and software up-to-date with the latest security patches.
• Restrict file execution and disable unused services to reduce the attack surface.
• Ensure exposed services are properly configured to prevent exploitation through misconfigurations.
• Implement Role-Based Access Control (RBAC) to limit access to critical files.
• Implement network segmentation and monitor for unusual outbound connections, especially to TOR networks.
• Look for unusual spikes in CPU usage, especially during idle times, and unexpected system slowdowns.
• Use security tools that provide visibility into Linux runtime environments.
• Continuously monitor for suspicious system behaviour, and file and process integrity.

WolfsBane and FireWood: Linux backdoors used by APT groups

Overview: What are WolfsBane & FireWood?

WolfsBane and FireWood are advanced Linux backdoor malware strains discovered in late 2024.

• WolfsBane: A Linux counterpart to the Gelsevirine Windows backdoor, WolfsBane acts as a dropper, launcher, and backdoor, enabling persistent system access, stealthy command execution, and data exfiltration. It has been attributed with high-confidence to the Gelsemium Advanced Persistent Threat (APT) group.
• FireWood: Linked to the Project Wood malware, FireWood operates as a backdoor implant with similar espionage functionalities. While it has been discovered at the same time, FireWood is attributed to Gelsemium with low-confidence, and instead is suspected to be shared among multiple Chinese APT groups.

Evasion techniques: How WolfsBane & FireWood evade detection

• Rootkits: WolfsBane uses a modified open-source BEURK userland rootkit to hide its activities, hooking standard C library functions (e.g., open, stat, readdir) via /etc/ld.so.preload, while FireWood employs a kernel-level rootkit named usbdev.ko for process hiding.
• Indicator removal: WolfsBane removes itself from disk after establishing persistence, and its dropper deletes itself after execution to remove evidence of its presence. FireWood includes a command to alter file metadata (MAC times), making it harder to trace its malicious activities.
• Hidden artifacts: Both malware strains are installed in hidden folders, making their detection challenging for system administrators.
• File permission modification: WolfsBane modifies file permissions using Linux chmod commands to ensure its executables can run without restrictions.
• Obfuscation: The WolfsBane dropper compresses and embeds its payloads, complicating analysis and reverse engineering efforts.
• Masquerading: Malware components are named to resemble legitimate files or placed in directories associated with trusted software, such as /usr/lib/libselinux.so.

Real-world implications: The impact of WolfsBane & FireWood

• Long-term access: WolfsBane & FireWood enable attackers to maintain persistent control over infected systems, posing long-term threats.
• Cyber-espionage: These tools facilitate prolonged intelligence gathering by exfiltrating sensitive data from compromised systems.
• Geographical focus: Samples have been found originating from Taiwan, the Philippines, and Singapore, indicating a focus on East and Southeast Asia.
• Expanding threat landscape: This discovery reflects a broader trend of APT groups increasingly targeting Linux systems.

Detection and mitigation

• Keep Linux operating system and applications up-to-date with the latest security patches.
• Implement strong web application security measures to prevent initial access, as the malware likely exploits web application vulnerabilities.
• Enable and properly configure SELinux to enforce mandatory access control (MAC) policies, as WolfsBane attempts to disable it during installation.
• Utilise advanced threat detection solutions with capabilities such as kernel integrity monitoring and defence evasion tactics detection, including the detecting rootkit activities.
• Monitor for suspicious kernel module artifacts and hidden processes, indicating active rootkit concealment.
• Implement network segmentation and monitor for unusual outbound connections, especially to command and control servers.
• Regularly scan for and remove any suspicious processes or files, particularly in autostart locations.

The Linux threat landscape continues to evolve – security should too

Linux is already a dominant force in enterprise environments, and its adoption is set to grow further. With this growth comes an increasing number of Linux-targeted threats – and Perfctl, WolfsBane, and FireWood illustrate how evasive Linux malware can be.

Understanding how the Linux threat landscape is evolving is key to strengthening defences. By doing so, organisations can take proactive steps to enhance their security posture and safeguard their Linux environments against emerging risks.

‍

For more insights and expert guidance on securing your Linux workloads, contact us.