OrBit, a new sophisticated Linux malware still undetected

Cybersecurity researchers warn of new malware, tracked as OrBit, which is a fully undetected Linux threat.

Cybersecurity researchers at Intezer have uncovered a new Linux malware, tracked as OrBit, that is still undetected.

The malware can be installed as a volatile implant either by achieving persistence on the compromised systems. The malware implements advanced evasion techniques and hooks key functions to maintain persistence on the infected systems. OrBit allows operators to achieve remote access capabilities over SSH, harvests credentials, and logs TTY commands.

“Once the malware is installed it will infect all of the running processes, including new processes, that are running on the machine.” reads the analysis published by the experts. “Unlike other threats that hijack shared libraries by modifying the environment variable LD_PRELOAD, this malware uses 2 different ways to load the malicious library. The first way is by adding the shared object to the configuration file that is used by the loader. The second way is by patching the binary of the loader itself so it will load the malicious shared object.”

Experts noticed similarities between the threat and the recently disclosed Symbiote malware which is designed to infect all of the running processes on the compromised machines.

Unlike Symiote that leverages the LD_PRELOAD environment variable to load the shared object, OrBit employs two different methods. In the first method, the shared object is added to the configuration file that is used by the loader, in the second one the binary of the loader is patched to load the malicious shared object.

The malicious payload is a shared object (.SO file) that can be placed either in persistent storage, for example /lib/libntpVnQE6mk/, or in shim-memory under /dev/shm/ldx/. Placing the payload in the first path will allow the threat to gain persistence, otherwise, it is volatile.

The backdoor hooks the read and write functions to log data that is being written by the executed processes on the infected machine.

The attack chain starts with an ELF dropper that extracts the payload (“libdl.so”) and adds it to the shared libraries that are loaded by the dynamic linker.

“The shared object hooks functions from 3 libraries: libc, libcap and Pluggable Authentication Module (PAM). Existing processes that use these functions will essentially use the modified functions, and new processes will be hooked with the malicious library as well, allowing the malware to infect the whole machine and harvest credentials, evade detection, gain persistence and provide remote access to the attackers.” continues the experts.

The experts pointed out that the malware outstands for its almost hermetic hooking of libraries. Linux threats continue to evolve, recently other sophisticated Linux malware were spotted by the researchers in the wild such as Symbiote and Syslogk.

“Threats that target Linux continue to evolve while successfully staying under the radar of security tools, now OrBit is one more example of how evasive and persistent new malware can be.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, OrBit)

[adrotate banner=”5″]

[adrotate banner=”13″]