HomeCybersecurity Lifehacks
Analyzing Linux Malware in ANY.RUN:
3 examples
HomeCybersecurity Lifehacks
Analyzing Linux Malware in ANY.RUN:
3 examples

Although Linux is often regarded, and indeed is, less susceptible to attacks than Windows — partly because it’s not as widespread, it is not immune to malware. In fact, certain types of malware, such as DDoS botnets, are more prevalent on Linux systems than on Windows systems. 

It’s no secret that Linux servers are widely deployed in enterprise environments. This attracts hackers who seek a higher return on their investment. As a result, Linux malware saw a 50% increase in 2022 — a historical record. 

Why it’s important to analyze Linux malware 

So, how do you protect your organization against Linux threats? The answer is complex and a bit beyond the scope of this article. But a big part of hardening your security posture is to analyze the malware samples you encounter. 

It’s crucial to understand how they behave on a system. This way you will be able to collect IOCs they leave behind, and accordingly set up WAF, SIEM, or SOAR systems. 

Let’s analyze four such cases together in ANY.RUN

1. Analyzing Mirai, Botnet on Linux  

Mirai is a type of malware that transforms network-connected Linux devices into remotely controlled bots, often referred to as “zombies.” These compromised devices are then used to carry out Distributed Denial of Service attacks. This means that after a Mirai infection, your servers could become sources of DDoS traffic. 

The Threats section highlights malicious network activity

In the example, we can observe the botnet’s actions in an ANY.RUN task by visiting the threats tab

(Read how ANY.RUN helps analyze network threats

The Threat Details window shows a Suricata rule used for detecting Mirai

Because Mirai is active on the network, we can analyze which Suricata rules were triggered and examine them in the Threats tab.

Learn how ANY.RUN can improve your org’s security 

Schedule a call

2. Analyzing Linux Miners 

The next example is a miner — a type of parasitic malware that uses the system resources of infected host to mine cryptocurrency. It leads to degraded performance and unresponsiveness of infected machines. 

(Read more about crypto-mining malware.)

The miner causes RAM and CPU usage to go up

In this example, ANY.RUN initially detected the threat through network activity. Abnormal resource consumption is further proof of mining — Immediately after the malware launched, the CPU reached maximum capacity, and RAM usage spiked at the same time. 

The miner makes thousands of connections in a short span of time

ANY.RUN also clearly shows abnormal network behavior; the miner sent almost 300,000 DNS requests to generated domain names in less than 4 minutes. 

And in this task, we’re also examining a miner, but a key point to highlight is the signatures: 

The sandbox lists the miner’s suspicious actions

The titles of these signatures provide insight into what occurred. By clicking on one, you receive a detailed explanation of the conditions that triggered the signature. This way, we can better understand the network behavior of the sample.

For example, we can see that the malware checks active group controllers and the list of CPUs. This is a tactic advanced miners use to gather system data and configure themselves to run covertly in the system, ensuring they don’t overuse resources.

Easily analyze malware and better understand its behavior with ANY.RUN 

Get started free

3. Analyzing DDoS on Linux 

In this example, we observe a compromised Linux system executing a DDoS attack: within just one minute, the malware attempts to establish connections over 15,000 times. 

The malware carries out a DDoS attack

Catching a DDoS attack originating from your servers can result in severe consequences: it could lead to reputational damage, and even regulatory repercussions, especially if the attack targets critical infrastructure or helps hackers to execute a data breach by smoke screening. 


Let’s recap the main points: 

  • Linux is not immune to malware: Despite its reputation for security, Linux systems can fall prey to various types of malware. 
  • It is important to analyze the latest malware samples: Analyzing malware samples is crucial for understanding their behavior, collecting IOCs, and configuring security systems like WAF, SIEM, and SOAR systems against emerging threats. 
  • Case studies in ANY.RUN: In the article, we looked how ANY.RUN helps analyze and better understand behavior of malware, using miners and DDoS botnets as an example — of course, you can also just as well analyze other threats such as ransomware, RATs and stealers. 

About ANY.RUN 

ANY.RUN is a developer of cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams, as well as Threat Intelligence Feeds and Threat Intelligence Lookup. Every day, 400,000 professionals use our platform to investigate incidents and streamline threat analysis.  

Get started in ANY.RUN for free today → 

Jack Zalesskiy
Technology writer at ANY.RUN at ANY.RUN | + posts

Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.

Jack Zalesskiy
Technology writer at ANY.RUN
Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.

What do you think about this post?

0 answers

  • Awful
  • Average
  • Great

No votes so far! Be the first to rate this post.