One of the oft-repeated reasons for using alternative operating systems is the suggestion that alternatives to Windows are more secure because malware is not produced for these minority systems—in effect, an argument in favor of security by minority. For a variety of reasons, this is a misguided notion. The proliferation of web-based attacks—which are inherently cross-platform, as they depend on browsers more than the underlying OS the browser runs on—makes this argument rather toothless.
In the more narrow view of actual executables, Java-based malware such as McRAT has proliferated in the past, though as Java on the desktop is practically unheard of on consumer computers in 2018. Likewise, with enterprises moving away from installing Java SE on workstations, the viability of that approach has dwindled. However, Google’s Golang—which supports cross compiling to run on multiple operating systems—is now being utilized by attackers to target Windows and Linux workstations.
According a report by JPCERT, the WellMess malware can operate on WinPE (Windows Preinstallation Environment) and on Linux via ELF (Executable and Linkable Format). The malware gives a remote attacker the ability to execute arbitrary commands as well as upload and download files, or run PowerShell scripts to automate tasks. The commands are transferred to the infected device via RC6 encrypted HTTP POST requests, with the results of executed commands transmitted to the C&C server via cookies.
JPCERT has created a tool (available here) to decrypt the content of those cookies, to identify what is being transmitted to the C&C server.
WellMess has been found in (unnamed by the report) Japanese companies, though it is unclear if the attacks are targeted exclusively in Japan, or if groups or individuals outside Japan have been affected. The C&C servers controlling infected systems are located in Lithuania, The Netherlands, Sweden, Hong Kong, and China. JPCERT advises that attacks using this malware are ongoing.
While WellMess is far from the first malware to run on Linux systems, the perceived security of Linux distributions as not being a significant enough target for malware developers should no longer be considered the prevailing wisdom, as cross-compilation on Golang will ease malware development to an extent for attackers looking to target Linux desktop users. As with Windows and macOS, users of Linux on the desktop should install some type of antivirus software in order to protect against malware such as WellMess.
In terms of free and open source software, ClamAV is likely the best option. ClamAV is a product of Cisco’s Talos Intelligence team, and is available in the default package repositories of most major Linux distributions. It is, however, a command line tool, making a front-end such as ClamTk or ClamAV-GUI necessary.
The big takeaways for tech leaders:
- The WellMess malware can operate on WinPE and on Linux via ELF, giving a remote attacker the ability to execute arbitrary commands as well as upload and download files, or run PowerShell scripts to automate tasks.