This new Linux rootkit malware is already targeting victims

News
By published

The rootkit may not be a major threat yet, but it is growing

Linux
He can work for you (Image credit: Linux Foundatiox)

A new rootkit affecting Linux systems has been discovered that is capable of both loading, and hiding, malicious programs. 

As revealed by cybersecurity researchers from Avast, the rootkit malware, called Syslogk, is based on an old, open-sourced rootkit called Adore-Ng. 

It’s also in a relatively early stage of (active) development, so whether or not it evolves into a full-blown threat, remains to be seen.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

When the Syslogk loads, it first removes its entry from the list of installed modules, meaning the only way to spot it is through an exposed interface in the /proc file system. Besides hiding itself from manual inspection, it is also capable of hiding directories that host the dropped malware, hiding processes, as well as network traffic.

But perhaps most importantly - it can remotely start or stop payloads. 

Enter Rekoobe

One such payload that was discovered by Avast’s researchers is called ELF:Rekoob, or more widely known as Rekoobe. This malware is a backdoor trojan written in C. Syslogk can drop it on the compromised endpoint, and then have it lay dormant until it receives a “magic packet” from the malware’s operators. The magic pocket can both start, and stop the malware. 

“We observed that the Syslogk rootkit (and Rekoobe payload) perfectly align when used covertly in conjunction with a fake SMTP server,” Avast explained in a blog post. “Consider how stealthy this could be; a backdoor that does not load until some magic packets are sent to the machine. When queried, it appears to be a legitimate service hidden in memory, hidden on disk, remotely ‘magically’ executed, hidden on the network. Even if it is found during a network port scan, it still seems to be a legitimate SMTP server.”

Read more

> Linux malware is booming, so stay secure, Microsoft warns

> Malware targeting Linux systems hit a new high in 2021

> Sneaky Linux malware hides behind events scheduled to run on February 31

Rekoobe itself is based on TinyShell, BleepingComputer explains, which is also open-source and widely available. It is used to execute commands, meaning this is where the damage gets dealt - threat actors use Rekoobe to steal files, exfiltrate sensitive information, take over accounts, etc. 

The malware is also easier to detect at this point, meaning crooks need to be extra careful when deploying and running the second stage of their attack. 

Via: BleepingComputer

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Close up of the Linux penguin.
A new Linux backdoor is hitting US universities and governments
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
New UEFI Secure Boot flaw exposes systems to bootkits
GitHub Webpage
A cracked malicious version of a Go package lay undetected online for years
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
Telegram
New Golang malware is hijacking Telegram to help itself spread
Latest in Security
NHS
NHS IT supplier hit with major fine following ransomware attack
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Latest in News
Screenshot from action RPG soulslike Lies of P
Lies of P Overture won't elaborate on the game's eyebrow-raising post-credits twist, and I think that's good news
Nintendo Switch 2
The Switch 2 launching with a Mario Kart game 'is very unlike Nintendo' compared to the original Switch releasing with Breath of the Wild, says former marketing leads: 'That's what's gonna make you want to buy the new hardware'
Kindle de Amazon
The latest Kindle update finally fixes page turning – and adds the perfect reading tool for my sieve-like brain
Waze voice control
Waze is ditching Google Assistant for Gemini on iOS, and for good reasons
Apple Watch Ultra 2 displaying a step count and distance
Using a smartwatch could be a game-changer for people with diabetes, new research suggests
Focal Bathys MG
Focal just upgraded its audiophile noise-cancelling wireless headphones with even better sound, better noise cancelling, and a way higher price
More about security
NHS

NHS IT supplier hit with major fine following ransomware attack
Data leak

Top home hardware firm data leak could see millions of customers affected
Arlo video doorbell and chime spring sale deal

Our best budget video doorbell is at an even more affordable price in Amazon's Spring Sale

See more latest
Most Popular
Kindle de Amazon
The latest Kindle update finally fixes page turning – and adds the perfect reading tool for my sieve-like brain
Screenshot from action RPG soulslike Lies of P
Lies of P Overture won't elaborate on the game's eyebrow-raising post-credits twist, and I think that's good news
Nintendo Switch 2
The Switch 2 launching with a Mario Kart game 'is very unlike Nintendo' compared to the original Switch releasing with Breath of the Wild, says former marketing leads: 'That's what's gonna make you want to buy the new hardware'
Apple iPad Pro 13-inch (2024)
iPadOS 19: 4 rumored new features, and 2 I’d like to see
Apple Watch Ultra 2 displaying a step count and distance
Using a smartwatch could be a game-changer for people with diabetes, new research suggests
Focal Bathys MG
Focal just upgraded its audiophile noise-cancelling wireless headphones with even better sound, better noise cancelling, and a way higher price
Waze voice control
Waze is ditching Google Assistant for Gemini on iOS, and for good reasons
Garmin Fenix 8 vs Enduro 3 comparison
Garmin adds premium Garmin Connect+ tier with AI features – but promises your free experience ‘is not going away’
Microsoft Copilot combines the Microsoft 365 apps, Microsoft Graph and Artificial Intelligence. Isolated 3D logo on a surface
Microsoft adds Copilot AI features to Windows 11's Photos app - and I actually don't hate them
Kirby inhaling a Nintendo Switch
Nintendo Direct live build-up: no Switch 2, but these are our predictions for what we could see