OrBit: A new Linux malware that worries security researchers

There is no peace for cybersecurity researchers, who discover new threats every day. This is the case with a newly discovered Linux malware. The new malware, called OrBit, underscores a growing, and worrying trend, of malware attacks targeting the popular penguin operating system .


OrBit: Linux malware that worries researchers

The purpose of the malware is the classic stealing information from the Linux machines it is installed on . It works similar to other recently discovered malware like Symbionte or BPFdoor . Discovered by the security researchers of Intezer Labs, who identified it first, this malware inserts itself directly into the executables by being dynamically loaded by injecting itself as a shared library via the LD_PRELOAD environment variable on compromised devices, thus obtaining the possibility to modify the functions of other shared libraries that are commonly loaded by all Linux processes.

Not only that, OrBit is more insidious than that. The attack chain begins with an ELF executable, called a “dropper” , which is responsible for extracting the libdl.so payload and adding it to the shared libraries that are loaded by the dynamic linker. Furthermore, it is able to modify the dynamic linker executable itself to load the aforementioned malicious library .

The shared library is therefore designed to function as a “hook” for classic and standard functions of three libraries in particular: libc, libcap and Pluggable Authentication Module (PAM). In doing so, both existing and new processes will use the modified functions, which wrap the originals, essentially allowing you to collect credentials, hide network activity and give remote access to the host via SSH, always remaining under the radar.

For example, once inserted into a running process, OrBit can manipulate its output to hide any trace of its existence by filtering what is being logged :

"The malware implements advanced evasion techniques and gains persistence on the machine by hooking up key functions, provides threat actors with remote access capabilities over SSH, collects credentials and logs TTY commands (…) Once installed, the malware will infect all running processes, including new processes, running on the machine ”.

OrBit isn't the first highly evasive Linux malware to emerge recently . As mentioned initially, Symbiote also uses the LD_PRELOAD environment variable to load itself into running processes, acting as a system-wide parasite and leaving no signs of infection.

This malware steals information from various system commands and utilities and stores it in specific files on the machine. Additionally, there is extensive use of files for data storage, something that has never been seen before. What makes this malware particularly interesting is the near-hermetic docking of libraries on the victim's computer, which allows the malware to gain persistence and evade detection while stealing information and setting up SSH-based backdoors "

BPFDoor, another recently spotted malware targeting Linux systems, camouflages itself using the names of common Linux daemons. Suffice it to say that this helped him stay hidden for more than five years. The primary focus of both remains to hook into BPF (Berkeley Packet Filter) related functions to monitor and manipulate network traffic, and essentially allows them to completely hide their communication channels from security tools.

A third malware for Linux, a rapidly developing rootkit nicknamed Syslogk and unveiled by Avast researchers, exploits the loading of some of its own modules into the Linux kernel , thus acting at the kernel level. This allows it to hide directories and network traffic to evade detection.

The OrBit article: A New Linux Malware Concerning Security Researchers was written at: Tech CuE | Close-up Engineering .