Search This Blog

Showing posts with label Linux RootKit. Show all posts

 New Linux Malware Syslogk has a Clever Approach of Staying Undetected

 

Syslogk, a newfound clever form of Linux malware, installs a backdoor that remains hidden on the target device until its controller sends so-called 'magic packets' from anywhere on the internet. It is mostly based on Adore-Ng, a Chinese open-source kernel rootkit for Linux. 

Adore-Ng which has been around since 2004, is a free open-source rootkit, that gives an attacker complete control over an infected system. Syslogk can force-load its packages into the Linux kernel (versions 3. x are supported), hide folders or spoof files and network traffic, and ultimately load a backdoor named 'Rekoobe.' 

How does the malware work?

Syslogk was originally discovered in early 2022, with the sample constructed for a specific kernel version – meaning it could be loaded without being forced – and the payload named PgSD93ql, which disguised it as a PostgreSQL file. 

"Rekoobe is a piece of code that has been placed in genuine servers," according to Avast security researchers. "In this case, it's embedded in a phony SMTP server that, when given a specially designed command, spawns a shell." 

The rootkit was created to hide harmful files, malicious software, and its malicious payload from showing on the list of operating services, to deliver the malicious payload when it received a specially constructed TCP packet, and to halt the payload if the attacker directed it to. 

Rekoobe appears to be a harmless SMTP server, but it is built on an open-source project called Tiny SHell, so it contains a backdoor command for generating a shell that allows it to run arbitrary instructions for data mining. Despite the restricted support for Linux kernel versions, Avast claims that using Syslogk and Rebooke on a bogus SMTP server gives an attacker a strong toolkit. 

The Syslogk rootkit is yet one piece of highly evasive malware for Linux systems, joining the likes of Symbiote and BPFDoor, which both exploit the BPF system to monitor and dynamically change network traffic. Ransomware campaigns, crypto attacks, and other data theft illicit behavior are increasingly being launched against Linux systems and cloud infrastructure making it a vulnerable target. 
 
As in the case of Syslogk, the initiative is in its early stages of development, so it's unclear whether it'll become a wide-scale threat. However, given its secrecy, it will almost certainly continue to release new and improved versions.

ESET: FontOnLake Rootkit Malware Targets Linux Systems

 

Researchers have detected a new campaign that is potentially targeting businesses in Southeast Asia using previously unknown Linux malware that is designed to allow remote access to its administrators, as well as collect credentials and operate as a proxy server. 

The malware group, called "FontOnLake" by the Slovak cybersecurity firm ESET, is reported to entail "well-designed modules" that are constantly modified with a wide range of features, indicating an active development stage. 

According to samples uploaded to VirusTotal, the initial attacks employing this threat may have happened as early as May 2020. The same virus is being tracked by Avast and Lacework Labs under the name HCRootkit. 

ESET researcher Vladislav Hrčka stated, "The sneaky nature of FontOnLake's tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks." 

"To collect data or conduct other malicious activity, this malware family uses modified legitimate binaries that are adjusted to load further components. In fact, to conceal its existence, FontOnLake's presence is always accompanied by a rootkit. These binaries are commonly used on Linux systems and can additionally serve as a persistence mechanism." 

FontOnLake's toolkit consists of three components: trojanized copies of genuine Linux utilities utilized to load kernel-mode rootkits and user-mode backdoors, all of which interact through virtual files. The C++-based implants themselves are programmed to monitor systems, discreetly perform commands on networks, and steal account passwords. 

A second variation of the backdoor also function as a proxy, modify files, and download arbitrary files, while a third variant, in addition to combining characteristics from the other two backdoors, can run Python scripts and shell commands. 

ESET discovered two variants of the Linux rootkit that are based on an open-source project called Suterusu and share features like hiding processes, files, network connections, and itself, as well as being able to perform file operations and obtain and run the user-mode backdoor. 

Enterprise Password Management 

It is yet unknown how the attackers gained initial network access but the cybersecurity firm highlighted that the malicious actor behind the assaults is "overly cautious" to avoid leaving any traces by depending on multiple, unique command-and-control (C2) servers with different non-standard ports. All the C2 servers observed in the VirusTotal artifacts are no longer working. 

Hrčka stated, "Their scale and advanced design suggest that the authors are well versed in cybersecurity and that these tools might be reused in future campaigns." 

"As most of the features are designed just to hide its presence, relay communication, and provide backdoor access, we believe that these tools are used mostly to maintain an infrastructure which serves some other, unknown, malicious purposes."