Linux malware has gained traction real fast and attackers are developing some new malware or upgrading the existing ones on a regular basis. Avast researchers discovered a new Linux rootkit, which is difficult to detect.
Diving into details
Dubbed Syslogk, this stealthy Linux malware is used to hide malicious activities and employs “magic packets” that trigger a backdoor within a device.
The malware is under active development and is based on an old open-source rootkit, named Adore-Ng.
However, Syslogk has new capabilities that make it challenging for analysts to detect the kernel rootkit and user-mode application.
The Linux rootkit deploys the backdoor trojan Rekoobe and uses a variety of techniques to keep it hidden until required.
The Rekoobe sample was discovered in a fake SMPT mail server.
It is triggered once it receives specially devised TCP packets, also known as magic packets.
With these packets, an attacker can remotely start and stop the backdoor.
These TCP packets are known as magic packets since they come with special powers and formats.
“In this implementation, an attacker can trigger actions without having a listening port in the infected machine such that the commands are, in some way, 'magically' executed in the system."
Why this matters
Syslogk and Rekoobe are in perfect alignment when used with a fake SMTP server. As the backdoor can be stopped and awakened on demand, when queries, it seems to be a legitimate service hidden on disk or in memory. Even if it is discovered in a network port scan, it portrays itself as a legitimate SMTP server.
The bottom line
Rootkits are dangerous threats and hard to detect and eliminate since they run in privileged layers. Syslog is another addition to the class of evasive Linux malware, such as Symbiote and BPFDoor. This highlights the constant endeavor of cybercriminals to target as many Linux servers and cloud infrastructure as possible to launch ransomware attacks and other malicious activities.