Is 2020 the Yr of the Linux Malware Pandemic?

Because of its reputation for security, Linux is often viewed as less vulnerable to the threats that regularly affect Microsoft Windows systems. Much of this perceived security comes from the relatively small number of Linux systems, but cyber criminals are starting to see value in choosing quality before quantity?

Lots of keys and colored key rings

The Linux threat landscape is changing

Security researchers at companies like Kaspersky and Blackberry, as well as federal agencies like the FBI and NSA warn against malware authors who increasingly focus on Linux.

The operating system is now recognized as a gateway to valuable data such as trade secrets, intellectual property, and personal information. Linux servers can also be used as a staging point for infecting larger networks with Windows, macOS and Android devices.

Even if the operating system is not running on your desktop or laptop, your data is likely to be exposed to Linux sooner or later. Your cloud storage, VPN, and email providers, as well as your employer, health insurer, government service provider, or university are almost certainly running Linux as part of their networks, and the chances are that you own or have a Linux-based internet own things (IoT) device now or in the future.

An FBI sign outside one of his offices

Several threats have been revealed in the past 12 months. Some are known as Windows malware ported to Linux, while others have sat undetected on servers for nearly a decade, showing how much security teams have underestimated the risk.

Many system administrators may assume that their organization is not important enough to be a goal. Even if your network isn't a big deal, your suppliers or customers might prove more enticing, and gaining access to your system through a phishing attack, for example, can be a first step in infiltrating their network. So it's worth checking out how to protect your system.

Linux privacy protection

Linux malware discovered in 2020

Malware scam

Here is our sum up of the threats identified over the past year.

RansomEXX trojan

Kaspersky researchers announced in November that this Trojan had been ported to Linux as an executable file. The victim is left with files encrypted with 256-bit AES encryption and instructions on how to contact the malware authors to recover their data.

The Windows version attacked a few key targets in 2020, including Konica Minolta, the Texas Department of Transportation, and the Brazilian judicial system.

RansomEXX is specifically tailored for each victim, with the organization name appearing in both the encrypted file extension and the email address on the ransom note.


Gitpaste-12 is a new worm that infects x86 servers and IoT devices on Linux. It gets its name from its use of GitHub and Pastebin to download code and its 12 attack vectors.

The worm can disable AppArmor, SELinux, firewalls and other defense mechanisms and install a cryptocurrency miner.


Known under Windows since May 2019, a new version of this botnet that can attack Linux was discovered in September. It disables Linux's out-of-memory killer to keep itself running and kills security processes that may interfere with functionality.

The Linux edition has additional features like using SSH to find targets, using Steam game services, and crawling pornographic websites to fake clicks on advertisements.

It also has a penchant for infecting Android devices connected through Android Debug Bridge (ADB).


The FBI and NSA highlighted this rootkit in a warning in August. It can evade administrators and antivirus software, execute root commands, and allow hackers to upload and download files. According to the two agencies, Drovorub is the work of Fancy Bear, a group of hackers who work for the Russian government.

The infection is difficult to detect, but upgrading to at least the 3.7 kernel and blocking untrusted kernel modules should help prevent it.


The Lucifer bot for malicious crypto mining and distributed denial of service was first released on Windows in June and on Linux in August. The Linux incarnation of Lucifer enables HTTP-based DDoS attacks as well as via TCP, UCP and ICMP.


This new strain in the Turla Penquin malware family was discovered by researchers in May. It's a backdoor that attackers can use to intercept network traffic and execute commands without acquiring root.

Kaspersky found the exploit on dozens of servers in the US and Europe in July.


Doki is a backdoor tool that mainly targets poorly set up Docker servers to install Crypto Miner.

While malware typically contacts predetermined IP addresses or URLs for instructions, Doki's developers have put in place a dynamic system that uses the Dogecoin crypto blockchain API. This makes it difficult to shut down the command infrastructure as the malware operators can change the control server with just one Dogecoin transaction.

To avoid doci, make sure your Docker management interface is properly configured.


TrickBot is a banking Trojan that is used for ransomware attacks and identity theft that also made the switch from Windows to Linux. Anchor_DNS, one of the tools from the group behind TrickBot, was released in July in a Linux variant.

Anchor_Linux acts as a back door and is usually distributed via zip files. The malware sets up cron Task and contacts a control server via DNS queries.

Related: How to Identify a Phishing Email


The Tycoon Trojan is usually distributed as a vulnerable Java runtime environment in a zip archive. Researchers discovered it in June on both Windows and Linux systems in small and medium-sized businesses and in educational institutions. It encrypts files and demands ransom payments.

Cloud Snooper

This rootkit hijacks Netfilter to hide commands and data theft in normal web traffic and to bypass firewalls.

The system was first identified in the Amazon Web Services cloud in February and can be used to control malware on any server behind a firewall.


Also in February, Trend Micro researchers discovered that PowerGhost had made the leap from Windows to Linux. This is a fileless cryptocurrency miner that can slow down your system and deteriorate the hardware from increased wear and tear.

The Linux version can uninstall or terminate anti-malware products and remains active using a cron task. It can install other malware, gain root access, and spread itself over networks using SSH.


Since this peer-to-peer botnet (P2P) was first identified in January 2020, 20 more versions have been found. The victims include governments, universities, medical centers and banks.

Fritzfrog is file-free malware, a type of threat that resides in RAM rather than your hard drive, exploiting vulnerabilities in existing software to get its job done. Instead of servers, it uses P2P to send encrypted SSH communications to coordinate attacks on different computers, update itself, and ensure that work is evenly distributed across the network.

Though fileless, Fritzfrog creates a back door with a public SSH key to allow access in the future. Credentials for compromised computers are then stored across the network.

Strong passwords and public key authentication provide protection against this attack. It's also a good idea to change the SSH port or disable SSH access when you're not using it.


FinFisher sells FinSpy, which is linked to spying on journalists and activists, as the standard surveillance solution for governments. Amnesty International, previously seen on Windows and Android, discovered a Linux version of the malware in November 2019.

FinSpy enables traffic interception, access to private data and recording of video and audio from infected devices.

It became public knowledge in 2011 when protesters found a deal to buy FinSpy in the offices of the brutal Egyptian Security Service after the fall of President Mubarak.

Is it time for Linux users to take security seriously?

Bank vault with steel door

While Linux users may not be as vulnerable to as many security threats as Windows users, there is no doubt that the value and data volume of Linux systems make the platform more attractive to cyber criminals.

If the FBI and NSA are concerned, sole proprietorships or small businesses running Linux should pay more attention to security now if they want to avoid collateral damage in future attacks on larger organizations.

Here are ours Tips to protect yourself from the growing list of Linux malware:

  • Do not run binaries or scripts from unknown sources.

  • Install security software such as antivirus programs and rootkit detectors.

  • Use caution when installing programs using commands such as curl. Do not run the command until you fully understand what it will do. Start your command line research here.

  • Learn how to properly set up your firewall. It should log all network activity, block unused ports, and generally keep your exposure to the network to the minimum necessary.

  • Update your system regularly. Set security updates to be installed automatically.

  • Make sure your updates are sent over encrypted connections.

  • Enable a key-based authentication system for SSH and password to protect the keys.

  • Use two-factor authentication (2FA) and keep the keys on external devices such as a Yubikey.

  • Check the logs for signs of attack.

Linux security

5 security tools you should have on Linux

Linux is pretty safe from the start, especially when compared to other operating systems like macOS or Windows. Still, it's good to build on that, starting with these tools.

About the author

Joe McCrossan
(4 articles published)

Joe McCrossan is a freelance writer, tech trouble shooter volunteer, and amateur bicycle repairman. He likes Linux, open source and all kinds of magical innovations.

More from Joe McCrossan

Subscribe to our newsletter

Subscribe to our newsletter for tech tips, reviews, free e-books, and exclusive deals!

One more step …!

Please confirm your email address in the email we just sent you.

. "border =" 0

Leave a Reply

Your email address will not be published. Required fields are marked *