Authors: Lukas Schmidt, Sebastian Strasda, Sebastian Schinzel
DFRWS USA 2025 — “History in the Making” — Jubilee 25th Anniversary
Abstract
The increasing adoption of Linux-based desktop systems in various sectors, including critical infrastructures and personal use, has made them an attractive target for Advanced Persistent Threat (APT) groups and state actors. Yet, the espionage capabilities of Linux desktop malware and the forensic strategies for uncovering them remain largely unexamined. This paper addresses this gap by analyzing ten malware families that target the Linux desktop environment, studying the utilized espionage techniques, and introducing novel approaches to detect them using memory forensics.
Facing the multitude of espionage attack implementations that result from the diverse Linux desktop ecosystem, we propose to reduce the complexity of memory forensic investigations by focusing on the analysis of targeted core services.
We evaluate our approach by implementing proof-of-concept Volatility plugins for identification of keylogging, screen capturing as well as camera and microphone recording malware, and prove their effectiveness by performing forensic analyses of real-world espionage techniques that were utilized during APT campaigns.
Our evaluation shows that memory forensics is effective in uncovering Linux espionage attacks, and we are confident that our study provides valuable insights for future research and practical analysis of these threats.