Zombie Ant Farming: Practical Tips for Playing Hide and Seek with Linux EDRs

Conference:  BlackHat USA 2019



The presentation discusses strategies for building Linux malware in the face of endpoint action and response technology.
  • The focus is on responding to the challenge of endpoint action and response technology in Linux operating systems
  • The presentation suggests assembling the attack on the box by living off the land and using the facilities of the operating system to go against EDRs
  • The speaker suggests bringing in instrumented small malware cradles and building iterative capabilities on top of them
  • The presentation also suggests using C foreign function interface to switch between VM stack and technical stack to confuse EDRs
  • Defense is advised to implement Linux capabilities, lock down B&L ass, and define clearly what EDRs can and cannot do
The speaker gives an example of an operator dropping on a Linux machine and being booted out of the system after 15 minutes because the payload didn't work. The operator then has to figure out what went wrong and whether it was due to the EDR or other factors.


EDR solutions have landed in Linux. With the ever increasing footprint of Linux machines deployed in data centers, offensive operators have to answer the call. In the first part of the talk we will share practical tips and code techniques the offense can use to slide under the EDR radar, and to expand its post-exploitation capabilities. We will walk through examples and see how approved executables could be used as decoys to cleanly execute foreign code. We will review the primitives and building blocks of Linux malware that can be invoked by the dynamic ELF loader and the process bootstrap routines. Actionable and battle tested practical tips to assist Red Teams with evasion will be shown. Part two will focus on expanding and weaponizing the capabilities. We will show how to create feature rich chained preloaders, and use mimicry to hide modular malware during execution. To support the discussion, we will demo a memory-assisted "Preloader-as-a-Service" capability by abstracting storage of malware from its executing cradles. We will talk about operationalizing Linux memory-based implants. Finally, we will show techniques for evading EDRs with cross memory attach injection in deliberately ASLR weakened executables. We fully believe the ability to retool in the field matters more than standalone tools, so we have packaged the techniques into reusable code patterns in a toolkit you will be able to use or take inspiration from after the talk. The talk will conclude with pointers for Defense to mitigate the techniques we have shown. And most importantly, we will reveal what Zombies have to do with Ants :)