New Linux (Opens in a new tab) Malware has been discovered that can evade detection by antivirus programs and steal sensitive data from compromised endpoints (Opens in a new tab) Infects all processes running on the device.
Intezer Labs cybersecurity researchers say malware (Opens in a new tab)Modify the LD_PRELOAD environment variable, called OrBit, to hijack the shared library and, as a result, allow the function call to be intercepted.
“Malware implements advanced evasion techniques, gains persistence on the machine by hooking key features, provides remote access via SSH to threat actors, collects credentials, and TTY commands. Log in, “explains Intezer Labs researcher Nicole Fishbein.
Hiding in a clear view
“Once the malware is installed, it infects all running processes, including new ones running on the machine.”
Until recently, most antivirus solutions did not treat OrBit droppers or payloads as malicious, but added that some anti-malware service providers now identify OrBit as malicious. ..
“This malware steals information from various commands and utilities and stores it in specific files on the machine. In addition, files for storing data are widely used, which I have seen before. It wasn’t possible, “Fishbein concludes.
“What makes this malware particularly interesting is the nearly airtight hooks of the library on the victim’s machine, which allows the malware to steal information, set SSH backdoors, and gain persistence. You can avoid detection. “
Recently, Bleeping Computer discovered that threat actors are very active on the Linux platform. In addition to OrBit, recently discovered Symbiote malware uses the LD_PRELOAD directive to load itself into a running process. It acts as a parasite throughout the system, and publications add that it leaves no signs of infection.
BPF Door is a similar malware. Targets Linux systems and hides them using common Linux daemon names. This allowed us to stay under antivirus radar for five years.
In addition to these two, there is also Syslogk, which can both load and hide malicious programs. As Avast cybersecurity researchers have revealed, rootkit malware is based on an old open source rootkit called Adore-Ng. Also, because it is in a relatively early stage of (active) development, it is not yet known if it will develop into a full-fledged threat.
Watch the video here: Annoying new malware strains stealing data from Linux devices