Connect with us

Hi, what are you looking for?


Malware & Threats

Umbreon Rootkit Being Distributed via Manual Installs

A recently analyzed Linux rootkit is being distributed via manual installations and targeting both Intel and ARM platforms, embedded platforms included, and provides attackers with complete control over the compromised devices, Trend Micro researchers warn.

A recently analyzed Linux rootkit is being distributed via manual installations and targeting both Intel and ARM platforms, embedded platforms included, and provides attackers with complete control over the compromised devices, Trend Micro researchers warn.

Called Umbreon, the threat shares the name with a Pokémon known for hiding in the night, which researchers say is “an appropriate characteristic for a rootkit.” The development of this malware, Trend Micro says, started in early 2015, but its developer has been active since at least 2013.

The rootkit has various execution modes, with different levels of access, including user mode (ring 3), kernel mode (ring 0), hypervisor (ring -1), and System Management Mode – SMM (ring -2). According to researchers, the lower the level code runs at, the harder it is to detect and mitigate the threat.

“A ring 3 rootkit (or usermode rootkit) does not install kernel objects onto the system, but hooks functions from core libraries that are used by programs as interfaces to system calls that run important operations in a system such as reading/writing files, spawning processes, or sending packets over the network. It is perfectly possible to spy on and change the way things are done within an operating system, even from user mode,” Fernando Mercês, Trend Micro Senior Threat Researcher, explains.

Umbreon, the researcher says, has been successfully tested on three different platforms, namely x86, x86-64 and ARM (Raspberry Pi), which shows that it is very portable. Mercês also notes that the rootkit is written in pure C and has some additional tools written in Python and Bash scripting.

During installation, the malware creates a valid Linux user with a special GID (group ID), providing backdoor access to the infected system (the rootkit checks it to learn when access is attempted). The attacker can access the account via “any authentication method supported by Linux via pluggable authentication modules (PAMs), including SSH,” Mercês explains. Because libc functions are hooked by Umbreon, the user is not visible in files like /etc/passwd.

The malware includes a non-promiscuous libpcap-based backdoor called Espeon, also written in C, which can be used to establish a connection to an attacker machine, bypassing firewalls by functioning as a reverse shell. The backdoor captures all TCP traffic and, when it receives a TCP packet with some special field values, it connects to the source IP of this TCP packet.

Advertisement. Scroll to continue reading.

The rootkit can disguise itself from admins using the strace Linux command line tool and hooks two libpcap functions to prevent them from returning any information about TCP packets with specific ports, thus preventing analysis tools from capturing backdoor traffic.

The malware acts as a library that imitates the glibc (GNU C Library), patches the loader library to use its own file instead, which ensures that the library paths in this file are loaded before any other ELF program is launched. Thus, the malware makes sure that its main library and modified function addresses are loaded instead of the ones in libc, ensuring that the malicious functions can be called invisibly.

“These malicious functions then inspect the arguments they receive before calling the real ones. Similarly, the output of every command may have been modified before the user sees it. It effectively functions as an in-the-middle attack, modifying both the input and output of system functions,” the security researcher explains.

Because Umbreon hooks libc functions, detection requires a tool that doesn’t use libc (most of them do, regardless of whether they are written in C, Perl, Python, Ruby, PHP, or other scripting languages). Umbreon is a ring 3 (user level) rootkit, and Mercês says that it can be removed from the infected machine, though the operation might be tricky and could break the system and put it into an unrecoverable state.

Related: Password Bypass Flaw Found in GRUB2 Linux Bootloader

Related: PoC Linux Rootkit Uses GPU to Evade Detection

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...