A New Cyber Threat: UAT-9921 and VoidLink Malware

Overview

A group known as UAT-9921 has been utilizing a new malware called VoidLink. This malware specifically targets tech and finance companies and has been active since 2019, though it only recently began deploying VoidLink.

VoidLink: A Sophisticated Malware

VoidLink is a highly sophisticated tool designed to remain hidden in Linux-based cloud systems. It is believed to have been created by one individual with AI assistance, making it easier for less skilled hackers to develop dangerous malware.

Infection and Network Scanning

UAT-9921 uses compromised computers to install VoidLink, enabling them to scan networks both inside and outside the targeted organization. The malware can also deploy a SOCKS proxy to launch internal scans and move laterally using tools like Fscan.

Technical Capabilities

• Programming Languages Used:
• Zig for the main implant
• C for plugins
• Go for the backend
• On-Demand Plugin Compilation: Supports various Linux distributions and provides features for information gathering, lateral movement, and anti-forensics.

Advanced Stealth Mechanisms

VoidLink employs advanced stealth mechanisms to avoid detection and removal. It can detect security software and evade it. The command-and-control (C2) server can provide plugins to exploit specific vulnerabilities found in the target environment.

Role-Based Access Control (RBAC)

VoidLink features three roles:

• SuperAdmin
• Operator
• Viewer This suggests that the developers planned for oversight. There are also signs of a main implant for Windows that can load plugins via DLL side-loading.