A recently analyzed Linux rootkit is being distributed via manual installations and targeting both Intel and ARM platforms, embedded platforms included, and provides attackers with complete control over the compromised devices, Trend Micro researchers warn.
Called Umbreon, the threat shares the name with a Pokémon known for hiding in the night, which researchers say is “an appropriate characteristic for a rootkit.” The development of this malware, Trend Micro says, started in early 2015, but its developer has been active since at least 2013.
The rootkit has various execution modes, with different levels of access, including user mode (ring 3), kernel mode (ring 0), hypervisor (ring -1), and System Management Mode – SMM (ring -2). According to researchers, the lower the level code runs at, the harder it is to detect and mitigate the threat.
“A ring 3 rootkit (or usermode rootkit) does not install kernel objects onto the system, but hooks functions from core libraries that are used by programs as interfaces to system calls that run important operations in a system such as reading/writing files, spawning processes, or sending packets over the network. It is perfectly possible to spy on and change the way things are done within an operating system, even from user mode,” Fernando Mercês, Trend Micro Senior Threat Researcher, explains.
Umbreon, the researcher says, has been successfully tested on three different platforms, namely x86, x86-64 and ARM (Raspberry Pi), which shows that it is very portable. Mercês also notes that the rootkit is written in pure C and has some additional tools written in Python and Bash scripting.
During installation, the malware creates a valid Linux user with a special GID (group ID), providing backdoor access to the infected system (the rootkit checks it to learn when access is attempted). The attacker can access the account via “any authentication method supported by Linux via pluggable authentication modules (PAMs), including SSH,” Mercês explains. Because libc functions are hooked by Umbreon, the user is not visible in files like /etc/passwd.
The malware includes a non-promiscuous libpcap-based backdoor called Espeon, also written in C, which can be used to establish a connection to an attacker machine, bypassing firewalls by functioning as a reverse shell. The backdoor captures all TCP traffic and, when it receives a TCP packet with some special field values, it connects to the source IP of this TCP packet.
The rootkit can disguise itself from admins using the strace Linux command line tool and hooks two libpcap functions to prevent them from returning any information about TCP packets with specific ports, thus preventing analysis tools from capturing backdoor traffic.
The malware acts as a library that imitates the glibc (GNU C Library), patches the loader library to use its own file instead, which ensures that the library paths in this file are loaded before any other ELF program is launched. Thus, the malware makes sure that its main library and modified function addresses are loaded instead of the ones in libc, ensuring that the malicious functions can be called invisibly.
“These malicious functions then inspect the arguments they receive before calling the real ones. Similarly, the output of every command may have been modified before the user sees it. It effectively functions as an in-the-middle attack, modifying both the input and output of system functions,” the security researcher explains.
Because Umbreon hooks libc functions, detection requires a tool that doesn’t use libc (most of them do, regardless of whether they are written in C, Perl, Python, Ruby, PHP, or other scripting languages). Umbreon is a ring 3 (user level) rootkit, and Mercês says that it can be removed from the infected machine, though the operation might be tricky and could break the system and put it into an unrecoverable state.
Related: Password Bypass Flaw Found in GRUB2 Linux Bootloader
Related: PoC Linux Rootkit Uses GPU to Evade Detection