Threat Report: What is Exaramel for Linux and How Does it Work?

Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. This backdoor has the ability to execute commands with high privileges and can use HTTPS for C2 communications. It also has a command to download a file from and to a remote C2 server, and a command to execute a shell command on the system. It can persist via a hardcoded location under systemd, and if it is running as root, it can also encrypt its configuration file and uninstall its persistence mechanism.

Exaramel for Linux Malware Capabilities

Exaramel for Linux may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different user's context. This can allow the adversary to elevate privileges and access sensitive information. Additionally, Exaramel for Linux may transfer tools or files from an external system into a compromised environment in order to evade detection.

• Exaramel for Linux may be used to copy tools or files from an external system into a compromised environment, and to communicate using application layer protocols associated with web traffic. This may allow adversaries to avoid detection or network filtering.
• Exaramel for Linux may use encryption, encoding, or other obfuscation methods to make files difficult to discover or analyze. It may also use alternate communication channels if the primary channel is compromised or inaccessible. Finally, it may abuse Unix shell commands and scripts for execution.
• Exaramel for Linux may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs.
• The Exaramel for Linux malware may use obfuscated files or information to hide its tracks from analysis, and may also delete files left behind by its activities. It may also create or modify system-level processes to repeatedly execute malicious payloads, in order to persist on a system.

Ways to Mitigate Exaramel for Linux Malware Attacks Capabilities

• The Exaramel Linux malware attack can be mitigated by monitoring the file system for files that have the setuid or setgid bits set, monitoring for execution of utilities like chmod, and analyzing network data for uncommon data flows.
• The Exaramel malware can be mitigated by detecting unusual activity on a system, such as network data flows or scripts running out of cycle from patching or other administrator functions. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
• The above text discusses how to mitigate Exaramel malware attacks on Linux systems. System and network discovery techniques should be used to identify suspicious activity, and scheduled task creation should be monitored for changes that do not correlate with known software or patch cycles.
• The article discusses how Exaramel for Linux malware attacks can be mitigated. One way to do this is to detect the action of deobfuscating or decoding files or information. Another way is to monitor for changes to system processes that do not correlate with known software, patch cycles, etc.

About Sandworm team Threat Group

The Sandworm team, a Russian military intelligence unit, has been indicted by the US for various cyberattacks dating back to 2015.