Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

OrBit, a new sophisticated Linux malware still undetected

Cybersecurity researchers warn of new malware, tracked as OrBit, which is a fully undetected Linux threat. Cybersecurity researchers at Intezer have uncovered a new Linux malware, tracked as OrBit, that is still undetected. The malware can be installed as a volatile implant either by achieving persistence on the compromised systems. The malware implements advanced evasion […]

OrBit

Cybersecurity researchers warn of new malware, tracked as OrBit, which is a fully undetected Linux threat.

Cybersecurity researchers at Intezer have uncovered a new Linux malware, tracked as OrBit, that is still undetected.

OrBit

The malware can be installed as a volatile implant either by achieving persistence on the compromised systems. The malware implements advanced evasion techniques and hooks key functions to maintain persistence on the infected systems. OrBit allows operators to achieve remote access capabilities over SSH, harvests credentials, and logs TTY commands.

“Once the malware is installed it will infect all of the running processes, including new processes, that are running on the machine.” reads the analysis published by the experts. “Unlike other threats that hijack shared libraries by modifying the environment variable LD_PRELOAD, this malware uses 2 different ways to load the malicious library. The first way is by adding the shared object to the configuration file that is used by the loader. The second way is by patching the binary of the loader itself so it will load the malicious shared object.”

Experts noticed similarities between the threat and the recently disclosed Symbiote malware which is designed to infect all of the running processes on the compromised machines.

Unlike Symiote that leverages the LD_PRELOAD environment variable to load the shared object, OrBit employs two different methods. In the first method, the shared object is added to the configuration file that is used by the loader, in the second one the binary of the loader is patched to load the malicious shared object.

The malicious payload is a shared object (.SO file) that can be placed either in persistent storage, for example /lib/libntpVnQE6mk/, or in shim-memory under /dev/shm/ldx/. Placing the payload in the first path will allow the threat to gain persistence, otherwise, it is volatile.

The backdoor hooks the read and write functions to log data that is being written by the executed processes on the infected machine.

The attack chain starts with an ELF dropper that extracts the payload (“libdl.so”) and adds it to the shared libraries that are loaded by the dynamic linker.

“The shared object hooks functions from 3 libraries: libc, libcap and Pluggable Authentication Module (PAM). Existing processes that use these functions will essentially use the modified functions, and new processes will be hooked with the malicious library as well, allowing the malware to infect the whole machine and harvest credentials, evade detection, gain persistence and provide remote access to the attackers.” continues the experts.

The experts pointed out that the malware outstands for its almost hermetic hooking of libraries. Linux threats continue to evolve, recently other sophisticated Linux malware were spotted by the researchers in the wild such as Symbiote and Syslogk.

“Threats that target Linux continue to evolve while successfully staying under the radar of security tools, now OrBit is one more example of how evasive and persistent new malware can be.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, OrBit)

[adrotate banner=”5″]

[adrotate banner=”13″]