A new rootkit has been discovered that affects Linux systems (opens in a new tab), capable of both loading and hiding malicious programs.
As revealed by Avast cybersecurity researchers, the malware rootkit (opens in a new tab), called Syslogk, is based on an older open source rootkit called Adore-Ng.
It is also at a relatively early stage of development (active), so whether or not it becomes a full-fledged threat remains to be seen.
When Syslogk is loaded, it first removes its entry from the list of installed modules, which means that the only way to detect it is through an interface exposed in the /proc file system. In addition to hiding itself from manual inspection, it is also capable of hiding directories that host deleted malware, hiding processes and network traffic.
But perhaps most importantly, you can start or stop payloads remotely.
Enter Rekoobe
One such payload that was discovered by Avast researchers is called ELF:Rekoob, or better known as Rekoobe. This malware is a backdoor Trojan written in C. Syslogk can drop it on the compromised endpoint (opens in a new tab) and then leave it idle until it receives a "magic packet" from the malware operators. The magic pocket can start and stop malware.
“We found that the Syslogk rootkit (and the Rekoobe payload) align perfectly when used covertly in conjunction with a fake SMTP server,” Avast explained in a blog post. "Consider how stealthy it could be; a backdoor that doesn't load until certain magic packets are sent to the machine. When asked, it appears to be a legitimate service hidden in memory, hidden on disk, executed remotely "magically" , hidden on the network Even if found during a network port scan, it still appears to be a legitimate SMTP server.
Rekoobe itself is based on TinyShell, explains BleepingComputer, which is also open source and widely available. It's used to execute commands, which means that's where the damage is done: Hackers use Rekoobe to steal files, leak sensitive information, take over accounts, and more.
Malware is also easier to detect at this stage, which means criminals need to be very careful when deploying and executing the second stage of their attack.
Via: BleepingComputer (Opens in a new tab)