This new Linux rootkit malware is already targeting victims

By Scott Marlette Last updated Jun 15, 2022

A new rootkit affecting Linux (opens in new tab) systems has been discovered that is capable of both loading, and hiding, malicious programs.

As revealed by cybersecurity researchers from Avast, the rootkit malware (opens in new tab), called Syslogk, is based on an old, open-sourced rootkit called Adore-Ng.

It’s also in a relatively early stage of (active) development, so whether or not it evolves into a full-blown threat, remains to be seen.

When the Syslogk loads, it first removes its entry from the list of installed modules, meaning the only way to spot it is through an exposed interface in the /proc file system. Besides hiding itself from manual inspection, it is also capable of hiding directories that host the dropped malware, hiding processes, as well as network traffic.

But perhaps most importantly – it can remotely start or stop payloads.

Enter Rekoobe

One such payload that was discovered by Avast’s researchers is called ELF:Rekoob, or more widely known as Rekoobe. This malware is a backdoor trojan written in C. Syslogk can drop it on the compromised endpoint (opens in new tab), and then have it lay dormant until it receives a “magic packet” from the malware’s operators. The magic pocket can both start, and stop the malware.

“We observed that the Syslogk rootkit (and Rekoobe payload) perfectly align when used covertly in conjunction with a fake SMTP server,” Avast explained in a blog post. “Consider how stealthy this could be; a backdoor that does not load until some magic packets are sent to the machine. When queried, it appears to be a legitimate service hidden in memory, hidden on disk, remotely ‘magically’ executed, hidden on the network. Even if it is found during a network port scan, it still seems to be a legitimate SMTP server.”

Rekoobe itself is based on TinyShell, BleepingComputer explains, which is also open-source and widely available. It is used to execute commands, meaning this is where the damage gets dealt – threat actors use Rekoobe to steal files, exfiltrate sensitive information, take over accounts, etc.

The malware is also easier to detect at this point, meaning crooks need to be extra careful when deploying and running the second stage of their attack.

Via: BleepingComputer (opens in new tab)

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.