Pokemon-fan VXer developed the Linux Umbreon rootkit

Security researchers from TrendMicro have published an interesting analysis on the Linux Umbreon rootkit, a new malware developed by a Pokemon-fan VXer.

Malware researchers from TrendMicro have obtained samples of a new strain of Linux rootkit from one of its trusted partners.

The new rootkit family was called Umbreon (ELF_UMBREON family), from the name of one of the Pokémon characters. It targets Linux systems, including embedded devices and any other system running both Intel and ARM processors

According to the experts, the Umbreon Rootkit was developed in early 2015 by a VXer that has been active in the cybercriminal underground since at least 2013. It has been claimed in the criminal underground forums that Umbreon is very effective in evading the detection.

“Rootkits are persistent threats intended to be hard to detect/observe. Its main purpose is to keep itself (and other malware threats) stealthed and totally hidden from administrators, analysts, users, scanning, forensic, and system tools.” Trend Micro senior threat researcher Fernando Mercês says. “They may also open a backdoor and/or use a C&C server and provide an attacker ways to control and spy on the affected machine.”

Umbreon is classified as a ring 3 rootkit  (or usermode rootkit) because it works on User mode (ring 3), this means it does not install kernel objects onto the system, but hooks functions from core libraries that are used by various applications as an intermediary level to system calls.

“[Umbreon] hooks functions from core libraries that are used by programs as interfaces to system calls that run important operations in a system such as reading/writing files, spawning processes, or sending packets over the network. It is perfectly possible to spy on and change the way things are done within an operating system, even from user mode.”

Once compromised the targeted system, the rootkit creates a valid Linux user that could be used by attackers to access it via any authentication method supported by Linux via pluggable authentication modules (PAMs), including SSH.

The researchers from TrendMicro focused their analysis on the Espeon backdoor component, a non-promiscuous libpcap-based backdoor written in C that spawns a shell when an authenticated user connects to it. (The attackers also named this component after a Pokémon –

Once again, the author used the name of a Pokémon for its components. Espeon allows an attacker to establish a connection to its machine, working as a reverse shell to bypass firewalls.

Espeon is able to capture all the traffic from the Ethernet interface of the infected machine.

In order to remove the Umbreon Rootkit from the infected systems it is possible to use a Linux Live CD and follow the steps:

1. Mount the partition where the /usr directory is located; write privileges are required.
2. Backup all the files before making any changes.
3. Remove the file /etc/ld.so.<random>.
4. Remove the directory /usr/lib/libc.so.<random>.
5. Restore the attributes of the files /usr/share/libc.so.<random>.<arch>.*.so and remove them as well.
6. Patch the loader library to use /etc/ld.so.preload again.
7. Unmount the partition and reboot the system normally.

The procedure is feasible because the Umbreon is a ring 3 (user level) rootkit.

In order to detect the Umbreon Rootkit it is possible to use the YARA rules published by TrendMicro.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Umbreon Rootkit,Pokemon)