How MITRE ATT&CK Matrix Helps Study Linux Malware

Cyber threats evolve constantly, making it tough for even the most prepared security teams to keep up. The key to protection is understanding how these threats behave, yet tracking countless malicious techniques can feel impossible.

That’s where the MITRE ATT&CK framework comes in. 

Created in 2003, it was designed to help cybersecurity professionals tackle this daunting task. Over the years, it has become an essential tool in the industry, providing a unified system for identifying malicious behaviors.

What is the Mitre ATT&CK Framework?

The MITRE ATT&CK Matrix is a popular framework used by cybersecurity professionals to better understand and defend against various types of malware, including those targeting Linux systems. 

The matrix helps by providing a comprehensive overview of the tactics, techniques, and procedures (TTPs) employed by attackers, which is invaluable when studying Linux malware.

The MITRE ATT&CK framework includes 12 tactics that represent the different goals attackers aim to achieve during a cyberattack. Each tactic encompasses multiple techniques that describe specific methods used to reach these goals.

1. Initial Access: Techniques attackers use to gain entry into a network (e.g., spear-phishing, exploiting vulnerabilities).
2. Execution: Methods to run malicious code on a target system (e.g., command-line interface, PowerShell scripts).
3. Persistence: Techniques to maintain access over long periods (e.g., creating new user accounts, installing malware that runs at startup).
4. Privilege Escalation: Gaining higher-level permissions to access more critical data or systems (e.g., exploiting system vulnerabilities).
5. Defense Evasion: Methods to avoid detection by security software (e.g., disabling security tools, obfuscating malware).
6. Credential Access: Techniques for stealing credentials like passwords or tokens (e.g., keylogging, brute-force attacks).
7. Discovery: Finding details about the target environment, such as network topology and services running (e.g., network scanning, file and directory discovery).
8. Lateral Movement: Moving across the network to access other systems (e.g., remote desktop protocol, SSH).
9. Collection: Gathering data from the system for exfiltration (e.g., screen capture, keylogging).
10. Command and Control: Communicating with compromised systems remotely to control them (e.g., using C2 servers).
11. Exfiltration: Sending stolen data outside the target environment (e.g., transferring files via email, HTTP).
12. Impact: Actions that cause harm or disrupt systems, such as encrypting files in ransomware attacks (e.g., data destruction, system shutdown).

Sign up to ANY.RUN to try unlimited malware analysis with MITRE ATT&CK

How MITRE ATT&CK Helps with Linux Malware Analysis

By running a sandbox analysis with tools like ANY.RUN, you can find out all the tactics and techniques the attackers use to organize the attacks. This makes it easier for security professionals to detect, analyze, and mitigate threats in Linux systems.

For example, the Mirai botnet attack is one of the most infamous Linux malware families. It’s easy to discover how it’s organized by having a look at the MITRE ATT&CK tactics and techniques. 

To see this in action, let’s run a sample with Mirai malware in the ANY.RUN sandbox:

Mirai malware analyzed in ANY.RUN sandbox

During the analysis, you’ll notice malicious activity flagged as Mirai botnet. By clicking the ATT&CK button, you’ll be redirected to the MITRE ATT&CK framework, where the various tactics and techniques used by the malware are clearly outlined, giving you a deeper understanding of the threat.

ATT&CK button in ANY.RUN sandbox

Here, you will be able to see documented techniques associated with this malware.

Mirai malware tactics and techniques displayed in MITRE ATT&CK Matrix

As you can see, attackers are using the Unix Shell subtechnique to execute commands. Clicking on it provides a detailed explanation of how this subtechnique works. 

In this case, adversaries may exploit Unix shells—the command interface on Linux and macOS systems (e.g., sh, bash, zsh). These shells control all aspects of the system, with some commands requiring elevated privileges.

Attackers can use shell scripts for tasks like executing multiple commands sequentially or running the same set of commands on different systems. They may use these scripts to deliver and execute payloads or maintain persistence during lateral movement, such as with SSH.

Unix Shell technique details inside ANY.RUN

Another technique used in this attack is “Linux and Mac File and Directory Permissions Modification.” On Linux systems, the common commands for managing permissions are chown (change owner) and chmod (change mode). Attackers may use these to take ownership of files or directories or alter permissions, potentially locking out legitimate users. 

This is often a necessary step for other techniques, such as establishing persistence through Unix Shell Configuration Modification or hijacking binaries via Hijack Execution Flow.

Linux and Mac File and Directory Permissions Modification technique in ANY.RUN sandbox

Another Linux malware, Gafgyt, operates similarly to Mirai but utilizes some different techniques. After running a Gafgyt sample in ANY.RUN’s sandbox, the MITRE ATT&CK framework highlights familiar techniques, including the use of the “Unix Shell” for command execution and “Linux and Mac File and Directory Permissions Modification” to alter permissions and potentially block legitimate users from accessing files. 

Gafgyt malware tactics and techniques displayed in MITRE ATT&CK Matrix

However, in this analysis, you’ll also notice the MITRE ATT&CK framework highlights the technique “Application Layer Protocol” in red, indicating potential danger. 

By clicking on it, you can delve deeper into the specific threat. In this case, the risk involves the malware connecting to a Command and Control (C2) server. 

This connection allows the malware to communicate with the attacker’s server, which can be used to issue further commands or steal sensitive data, making it a crucial aspect to monitor and mitigate.

Application Layer Protocol technique details in ANY.RUN sandbox

You can easily view all the techniques within the MITRE ATT&CK framework, not just those tied to a specific malware sample. 

To do this, simply check the “Show all tactics” box located in the top-right corner of the screen. This will expand the view and display every tactic and technique, helping you gain a broader understanding of how various attack methods are organized within the framework.

All tactics displayed in ANY.RUN sandbox

Conclusion

Using the MITRE ATT&CK framework for analyzing Linux malware like Mirai and Gafgyt allows you to track the malware’s actions and understand its key behaviors. When combined with sandbox tools like ANY.RUN, you can see how these threats work in real-time.

Create your free ANY.RUN account and analyze unlimited malware using the MITRE ATT&CK framework.