Presentation Material
AI Generated Summarymay contain errors
Here is a summary of the content:
The speaker discusses a technique used by malware to remain stealthy on Linux systems. They demonstrate how an attacker can mount a temporary file system (tempfs) on the /lost+found
directory, which is a popular directory in Linux distributions that users often overlook. By doing so, and creating files within this mounted directory, the attacker’s activities become invisible to other users or analysts who are part of different mount points.
The speaker demonstrates how an attacker can download a shell script onto the system using curl
, but it remains hidden from others due to the separate mount namespace. This technique is useful for malicious actors who want to remain stealthy.
The speaker then discusses two examples of malware that have employed this technique: Punchan, a botnet and cryptojacker that targeted the telecom, VPS, and education sectors, and Secret Slip, which was found on the Python Package Index (PyPI) repository. Both malware used memory-based file systems to drop crypto miners and evade detection.
To detect such malicious activities, the speaker recommends having visibility into process execution, better memory scanning capabilities, behavior-based detection, and network traffic analysis.