Posted on July 9, 2022 at 7:11 PM
Researchers have discovered a new Linux malware that is designed to backdoor Linux systems and compromise all running processes in the system. Cybersecurity researchers at Intezer Labs, who first discovered the malware in the wild, have dubbed it OrBit.
The researchers stated that the malware is capable of hijacking libraries to intercept function calls. It can also modify the LD_PRELOAD environment variable on the affected devices.
OrBit is known to have different ways to gain access to the targeted system. It can prevent attempts t remove it on the affected system, and can be used as an unstable implant when copied in shim-memory. Additionally, it has several methods of evading detection, including hiding behind various functions.
The OrBit Malware Maintains Strong Persistence
The researchers have revealed that OrBit can maintain persistence and control process behavior by hiding network activities while infecting new processes. The malware is seen as very dangerous and highly evasive to maintain its attacking persistence for a very long time.
For example, after injecting into processes, the OrBit malware can maneuver its way and output to hide several traces of its existence by sieving out logged activities.
Nicole Fishbein, Intezer Labs security researcher, stated that the malware implements advanced evasion techniques by hooking major functions. This gives the hackers remote access capabilities on the system.
After they have successfully installed the malware, it infects all the running processes, which includes both old and new processes, on the system.
While the payload and dropper components of OrBit were not detected by security software when the malware was initially discovered, some vendors of anti-malware products have warned clients of the malware’s existence. Some of the recently updated components can detect malware, but it has been designed to upgrade continuously to evade security.
OrBit is installed by loading into a Linux device or machine through a dropper. Apart from installing the payload, the dropper also sets the environment to execute the malware. The payload uses a function called patch_Id to install the payload and include it in the shared libraries. This is executed to find out if the malicious payload has been loaded by looking for the path the malware utilized, according to the researchers.
More Linux Malware Seen In The Wild
More Linux malware has been seen in the wild in recent times. The Orbit malware is not the first designed to compromise Linux systems, as some others are capable of using similar approaches to backdoor devices.
A good example is BPFDoor malware which was also discovered recently. It has been spotted targeting Linux systems and camouflaging itself with the names of popular Linux daemons. This approach has enabled the malware to remain hidden and undetected by security systems for several years.
Another one is the Symbiote malware that also utilizes the LD_PRELOAD used by OrBit to load itself into a running process. It acts as a system-wide parasite and hides its activities properly to leave no infection clue.
These malware strains utilize Berkeley Packet Filter (BPF) hooking functionality to manipulate and monitor network traffic. This enables the malware to stay hidden from the communication system of the security software.
There is another Linux malware that has been discovered in the wild, which is known as Syslogk. The rootkit is still under development but was discovered by the Avast researchers last month. According to the researchers, the new malware is capable of force-loading its modules into the Linux kernel and gaining access to infected machines. It can also hide network traffic and directories to circumvent security systems.
Orbit Malware Has Strong Capabilities
While Orbit is not the main or first malware strain that targets Linux systems, it is still built with strong capabilities that make it distinct from other threats.
Fishbein stated that the malware steals information from different utilities and commands and used specific files to store them on the compromised system. Additionally, the malware now takes up some space to store its data collected from several sections of the machine, which was not seen before.
He added that the malware is unique because of its near hermetic hooking of libraries on the compromised system. This gives the malware strong access and persistence. It was built strategically to circumvent security checks while setting SSH backdoor and stealing information. The researcher also noted that the developers of the malware could still add additional features to its functionalities. This will no doubt make the malware more potent and strong enough to evade detection.