A nasty new malware strain is stealing data from Linux devices

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

A new Linux malware has been discovered that is capable of avoiding detection by antivirus programs, steals sensitive data from compromised endpoints and infects all processes running on a device.

Cybersecurity researchers from Intezer Labs say the malware, dubbed OrBit, modifies the LD_PRELOAD environment variable, allowing it to hijack shared libraries and, consequently, intercept function calls. 

"The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands," Intezer Labs researcher Nicole Fishbein explained.

Hiding in plain sight

"Once the malware is installed it will infect all of the running processes, including new processes, that are running on the machine."

Up until only recently, most antivirus solutions did not treat OrBit dropper, or payload, as malicious, the researchers said but added that now, some anti-malware service providers do identify OrBit as malicious. 

"This malware steals information from different commands and utilities and stores them in specific files on the machine. Besides, there is an extensive usage of files for storing data, something that was not seen before," Fishbein concluded.

"What makes this malware especially interesting is the almost hermetic hooking of libraries on the victim machine, that allows the malware to gain persistence and evade detection while stealing information and setting SSH backdoor."

Threat actors have been quite active on the Linux platform lately, BleepingComputer has found. Besides OrBit, the recently discovered Symbiote malware also uses the LD_PRELOAD directive to load itself into running processes. It acts as a system-wide parasite, the publication claims, adding that it leaves no sign of infection.

BPFDoor is a similar malware strain, as well. It targets Linux systems and hides by using the names of common Linux daemons. This helped it stay under antivirus radars for five years. 

Besides these two, there is also Syslogk, capable of both loading, and hiding, malicious programs. As revealed by cybersecurity researchers from Avast, the rootkit malware is based on an old, open-sourced rootkit called Adore-Ng. It’s also in a relatively early stage of (active) development, so whether or not it evolves into a full-blown threat, remains to be seen.

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Close up of the Linux penguin.
A new Linux backdoor is hitting US universities and governments
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
Illustration of a laptop with a magnifying glass exposing a beetle on-screen
This devious macOS malware is evading capture by using Apple's own encryption
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
Mustang Panda
Chinese hackers abuse Microsoft tool to get past antivirus and cause havoc
GitHub Webpage
A cracked malicious version of a Go package lay undetected online for years
Latest in Security
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Oracle
Oracle denies data breach after hacker claims to hold six million records
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Latest in News
A phone showing a ChatGPT app error message
ChatGPT is down for many – here's what's going on
AirPods Max with USB-C in every color
Apple's AirPods Max with USB-C will get lossless audio in April, but you'll need to go wired
A woman sitting in a chair looking at a Windows 11 laptop
It looks like Microsoft might have thought better about banishing Copilot AI shortcut from Windows 11
US flags
US government IT contracts set to be centralized in new Trump order
Tesla Roadster 2
Tesla is still taking deposits on its long overdue Roadster, despite promising it would arrive in 2020
Samsung HW-Q990D soundbar with Halloween theme over the top
Samsung promises to repair soundbars bricked by its disastrous software update for free – but it'll probably involve shipping