New malware is being used to steal information silently from backdoored Linux systems. Named OrBit, the Linux malware is used to infect all running processes on the compromised machines.
How OrBit works?
Researchers from Intezer Labs security first spotted the malware and claimed that it hijacks shared libraries to intercept function calls by making changes to the LD_PRELOAD environment variable on systems.
The main goal of the backdoor is to steal information by hooking the read and write functions. This aids in gathering data written by the executed processes on the machine, such as bash and sh commands.
It can hook different functions to avoid detection, maintain persistence by infecting new processes, control process behavior, and mask network activity.
Further, OrBit can be deployed as a volatile implant if copied inside the shim-memory.
The malware can gain persistence using two different techniques to stop removal attempts:
The first technique is to add the path to the malware inside the /etc/ld[.]so[.]preload configuration file. This guides the loader that the backdoor should be loaded first for all new processes.
In the second technique, the backdoor copies the loader’s binary so it can patch it. It does a simple search in the binary for the string “/etc/ld[.]so[.]preload.”
Once found, it replaces the string with a path to a file within the %MALWARE_FOLDER%. The content of this file has the path to the malware library to act as an ld[.]so[.]preload configuration file.
It implies that, when a patch loader runs, it uses the file inside the %MALWARE_FOLDER% instead under “/etc”.
Recent Linux malware
Lately, multiple highly-evasive Linux malware has been detected, along with the OrBit malware, indicating an increasing trend of Linux malware.
Symbiote: a Linux malware that makes use of the LD_PRELOAD directive to load itself into running processes and act as a system-wide parasite, along with leaving no traces of infection.
BPFDoor: this malware hides by using the names of standard Linux daemons. It stayed undetected for more than five years.
Syslogk: A new Linux rootkit, based on an old open-source rootkit Adore-Ng, uses specially designed “magic pockets” to trigger the backdoor inside a device.
OrBit is the fourth Linux malware that surfaced in the past three months.
OrBit has the ability to gain persistence and evade detection by anti-malware solutions. Hence, the malware should be considered a serious threat to Linux systems. Leveraging threat intel services that bring you first-hand information to identify new types of threats and understand their severity is recommended. Mitigation can be planned accordingly. Mitigation can be planned accordingly.