Malware hunters at Avast have analyzed a newly discovered rootkit and backdoor that target Linux and appear designed to function in synergy with each other.
Dubbed Syslogk, the rootkit is based on Adore-Ng, an older Linux rootkit, but packs new functionality that makes both the user-mode application and the kernel rootkit difficult to detect, Avast warned in an advisory.
Adore-Ng is an open source kernel rootkit, most recently updated to target Linux kernel 3.x. On an infected system, it can hide processes and files, and even the kernel module, and can be controlled via authenticated user-mode processes.
Syslogk was first observed in early 2022, with the sample compiled for a specific kernel version – which meant that it could be loaded without forcing (which is done using the –force flag of the insmod Linux command) – and featuring the hardcoded file name PgSD93ql for its payload, hiding it as a PostgreSQL file.
The rootkit was designed to hide directories containing malicious files, to hide malicious processes, to hide its malicious payload from appearing on the list of running services, to execute the malicious payload upon receiving a specially crafted TCP packet, and to stop the payload if instructed by the attacker.
[ READ: Sophisticated iLOBleed Rootkit Targets HP Servers ]
The payload, Avast’s researchers explain, is a variant of the Rekoobe malware, which is typically planted on legitimate servers – a SMTP server in this instance. On the infected system, Rekoobe can spawn a shell, essentially providing attackers with backdoor access.
The researchers, who provide technical details on both the Syslogk rootkit, the Rekoobe backdoor and the various mechanisms they use, believe that the two malware families were developed by the same threat actor and that they are meant to run in tandem on an infected machine.
“We observed that the Syslogk rootkit (and Rekoobe payload) perfectly align when used covertly in conjunction with a fake SMTP server,” Avast said.
“Consider how stealthy this could be: a backdoor that does not load until some magic packets are sent to the machine. When queried, it appears to be a legitimate service hidden in memory, hidden on disk, remotely ‘magically’ executed, hidden on the network. Even if it is found during a network port scan, it still seems to be a legitimate SMTP server,” the company added.
Related: Sophisticated iLOBleed Rootkit Targets HP Servers
Related: Researchers Find HiddenWasp Malware Targeting Linux
Related: Cross-Platform Rootkit and Spyware Hits Targets Worldwide