GhostPenguin

GhostPenguin is a previously undocumented Linux backdoor, described by Trend Micro as a multi-threaded C++ malware family that was in an early stage of development when analyzed. It provides remote shell access via /bin/sh and extensive file-system operations, including creating, deleting, renaming, searching, and otherwise manipulating files and directories. The malware collects host information during registration, including IP address, gateway, OS version, hostname, and username, and can execute commands received from its command-and-control (C2) server.

GhostPenguin communicates with its C2 infrastructure over UDP, specifically using UDP port 53, and encrypts traffic with a custom RC5-based, session-oriented protocol. Its communications include a structured handshake, dynamically assigned session IDs, heartbeat-based C2, multi-stage communication, and a custom reliability layer built on top of UDP to ensure delivery of commands and data. The malware architecture uses multiple threads for registration, heartbeat signaling, receiving data, and sending data. Reporting indicates it supports roughly 40 commands.

The sample discussed in the source material evaded detection by all VirusTotal engines for months and was characterized as low-noise and difficult to detect. It minimizes duplicate execution by creating a ".temp" file in the user home directory. The analyzed binary was named "systemd" and had SHA-256 7b75ce1d60d3c38d7eb63627e4d3a8c7e6a0f8f65c70d0b0cc4756aab98e9ab7. Reported C2 infrastructure included 65.20.72.101:53, www.iytest.com:5679, and 124.221.109.147:5679. Trend Micro detects it as Backdoor.Linux.GHOSTPENGUIN.A.

The available content does not attribute GhostPenguin to a specific threat actor or campaign, and no specific victim industry targeting is stated beyond it being a Linux malware threat.