Researchers unsure of purpose of new VoidLink Linux malware

Check Point Software researchers have discovered what they say is a cloud-first malware framework aimed at Linux-based operating systems, with an unusually broad set of features, but they are not sure what its intended purpose is.

Named VoidLink by Check Point Research, in December last year the security vendor first indentified a small cluster of previously unnoticed Linux malware that seemed to originate from a China-affiliated development environment.

VoidLink has an "extremely flexible and highly modular" architecture that offers full command and control abilities, with over 30 plugins, operational security protection and an ability to recognise major cloud environments. 

No deployment of VoidLink has been observed so far, CPR said, adding that the framework could be a work-in-progress as the binaries it found had debug symbols in them, and other development artifacts.

"The framework's intended use remains unclear, and as of this [sic] writing, no evidence of real-world infections has been observed," CPR said.

"Although it is not clear if the framework is intended to be sold as a legitimate penetration testing tool, as a tool for the criminal underground, or as a dedicated product for a single customer, defenders should proactively secure their Linux, cloud, and container environments and be prepared to defend against advanced threats such as VoidLink," CPR said.

Either way, CPR said VoidLink is "an impressive piece of software, written in Zig for Linux, and it is far more advanced than typical Linux malware."