This new Linux rootkit malware is already targeting victims

News
By
published

The rootkit may not be a major threat yet, but it is growing

Linux
He can work for you (Image credit: Linux Foundatiox)

A new rootkit affecting Linux systems has been discovered that is capable of both loading, and hiding, malicious programs. 

As revealed by cybersecurity researchers from Avast, the rootkit malware, called Syslogk, is based on an old, open-sourced rootkit called Adore-Ng. 

It’s also in a relatively early stage of (active) development, so whether or not it evolves into a full-blown threat, remains to be seen.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

When the Syslogk loads, it first removes its entry from the list of installed modules, meaning the only way to spot it is through an exposed interface in the /proc file system. Besides hiding itself from manual inspection, it is also capable of hiding directories that host the dropped malware, hiding processes, as well as network traffic.

But perhaps most importantly - it can remotely start or stop payloads. 

Enter Rekoobe

One such payload that was discovered by Avast’s researchers is called ELF:Rekoob, or more widely known as Rekoobe. This malware is a backdoor trojan written in C. Syslogk can drop it on the compromised endpoint, and then have it lay dormant until it receives a “magic packet” from the malware’s operators. The magic pocket can both start, and stop the malware. 

“We observed that the Syslogk rootkit (and Rekoobe payload) perfectly align when used covertly in conjunction with a fake SMTP server,” Avast explained in a blog post. “Consider how stealthy this could be; a backdoor that does not load until some magic packets are sent to the machine. When queried, it appears to be a legitimate service hidden in memory, hidden on disk, remotely ‘magically’ executed, hidden on the network. Even if it is found during a network port scan, it still seems to be a legitimate SMTP server.”

Read more

> Linux malware is booming, so stay secure, Microsoft warns

> Malware targeting Linux systems hit a new high in 2021

> Sneaky Linux malware hides behind events scheduled to run on February 31

Rekoobe itself is based on TinyShell, BleepingComputer explains, which is also open-source and widely available. It is used to execute commands, meaning this is where the damage gets dealt - threat actors use Rekoobe to steal files, exfiltrate sensitive information, take over accounts, etc. 

The malware is also easier to detect at this point, meaning crooks need to be extra careful when deploying and running the second stage of their attack. 

Via: BleepingComputer

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Close up of the Linux penguin.
A new Linux backdoor is hitting US universities and governments
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
New UEFI Secure Boot flaw exposes systems to bootkits
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Huge cybercrime attack sees 390,000 WordPress websites hit, details stolen
GitHub Webpage
A cracked malicious version of a Go package lay undetected online for years
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
A white padlock on a dark digital background.
Developers targeted by malicious Microsoft VSCode extensions
Latest in Security
Webex by Cisco banner on a Chromebook
Cisco warns some Webex users of worrying security flaw, so patch now
Red padlock open on electric circuits network dark red background
AI-powered cyber threats are becoming the biggest worry for businesses everywhere
Woman using iMessage on iPhone
Apple to take legal action against British Government over backdoor request
Red padlock open on electric circuits network dark red background
Aviaton firms hit by devious new polyglot malware
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
Major ransomware attack sees Tata Technologies hit - 1.4TB dataset with over 730,000 files allegedly stolen
Image of laptop infected with malware
Ransomware criminals are now sending their demands...by snail mail?
Latest in News
A screenshot showing Naoe looking at the hidden blade in Assassin's Creed Shadows
Prep 107GB of space as Assassin's Creed Shadows preload and expected global release times are shared by Ubisoft
Sam Altman and OpenAI
UK regulator clears Microsoft’s $13bn deal with OpenAI after lengthy delay
the last of us 2 gate codes
The Last of Us director Neil Druckmann speaks on the possibility of The Last of Us Part 3: 'I guess the only thing I would say is don’t bet on there being more'
Google AI Mode
Google previews AI Mode for search, taking on the likes of ChatGPT search and Perplexity
AMD Ryzen 9950X
Ryzen CPUs are the cheapest Zen 5 cores you can buy, but I was surprised to see this AMD 192-core CPUs on the value leaderboard
A hand holding a phone showing the Android Find My Device network
Android's Find My Device can now let you track your friends – and I can't decide if that's cool or creepy
More about security
Webex by Cisco banner on a Chromebook

Cisco warns some Webex users of worrying security flaw, so patch now
Image of laptop infected with malware

Ransomware criminals are now sending their demands...by snail mail?
the last of us 2 gate codes

The Last of Us director Neil Druckmann speaks on the possibility of The Last of Us Part 3: 'I guess the only thing I would say is don’t bet on there being more'
See more latest
Most Popular
the last of us 2 gate codes
The Last of Us director Neil Druckmann speaks on the possibility of The Last of Us Part 3: 'I guess the only thing I would say is don’t bet on there being more'
A screenshot showing Naoe looking at the hidden blade in Assassin's Creed Shadows
Prep 107GB of space as Assassin's Creed Shadows preload and expected global release times are shared by Ubisoft
Google AI Mode
Google previews AI Mode for search, taking on the likes of ChatGPT search and Perplexity
An angry Mark Grayson flying towards the camera in Invincible season 3 episode 7
Invincible season 3 episode 7 ending explained: who dies, who plays Conquest, who is Ka-Hor, and more big questions answered
Sam Altman and OpenAI
UK regulator clears Microsoft’s $13bn deal with OpenAI after lengthy delay
AMD Ryzen 9950X
Ryzen CPUs are the cheapest Zen 5 cores you can buy, but I was surprised to see this AMD 192-core CPUs on the value leaderboard
Thanko monitor
At 11lbs, this double 24-inch 'portable' monitor is a bit too much for me but I love the audacity
Rocket Enterprise SSD
Sabrent launches its first 30.72TB SSD, but like all the others, you won't be able to run it on your PC (or buy it on Amazon)
Volkswagen ID.EVERY1 Concept Car
Volkswagen reveals the ID.1 concept car, which will spawn its cheapest all-electric model to date
Eurocom Raptor X17
This $12,000 laptop comes with 24TB RAID-0 SSD storage, 128GB of RAM, and Intel's most powerful mobile CPU - but no Nvidia RTX 5090M GPU