Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Avast: New Linux Rootkit and Backdoor Align Perfectly

Malware hunters at Avast have analyzed a newly discovered rootkit and backdoor that target Linux and appear designed to function in synergy with each other.

Malware hunters at Avast have analyzed a newly discovered rootkit and backdoor that target Linux and appear designed to function in synergy with each other.

Dubbed Syslogk, the rootkit is based on Adore-Ng, an older Linux rootkit, but packs new functionality that makes both the user-mode application and the kernel rootkit difficult to detect, Avast warned in an advisory.

Adore-Ng is an open source kernel rootkit, most recently updated to target Linux kernel 3.x. On an infected system, it can hide processes and files, and even the kernel module, and can be controlled via authenticated user-mode processes.

Syslogk was first observed in early 2022, with the sample compiled for a specific kernel version – which meant that it could be loaded without forcing (which is done using the –force flag of the insmod Linux command) – and featuring the hardcoded file name PgSD93ql for its payload, hiding it as a PostgreSQL file.

The rootkit was designed to hide directories containing malicious files, to hide malicious processes, to hide its malicious payload from appearing on the list of running services, to execute the malicious payload upon receiving a specially crafted TCP packet, and to stop the payload if instructed by the attacker.

[ READ: Sophisticated iLOBleed Rootkit Targets HP Servers ]

The payload, Avast’s researchers explain, is a variant of the Rekoobe malware, which is typically planted on legitimate servers – a SMTP server in this instance. On the infected system, Rekoobe can spawn a shell, essentially providing attackers with backdoor access.

Advertisement. Scroll to continue reading.

The researchers, who provide technical details on both the Syslogk rootkit, the Rekoobe backdoor and the various mechanisms they use, believe that the two malware families were developed by the same threat actor and that they are meant to run in tandem on an infected machine.

“We observed that the Syslogk rootkit (and Rekoobe payload) perfectly align when used covertly in conjunction with a fake SMTP server,” Avast said.

“Consider how stealthy this could be: a backdoor that does not load until some magic packets are sent to the machine. When queried, it appears to be a legitimate service hidden in memory, hidden on disk, remotely ‘magically’ executed, hidden on the network. Even if it is found during a network port scan, it still seems to be a legitimate SMTP server,” the company added.

Related: Sophisticated iLOBleed Rootkit Targets HP Servers

Related: Researchers Find HiddenWasp Malware Targeting Linux

Related: Cross-Platform Rootkit and Spyware Hits Targets Worldwide

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...