New Highly-Evasive Linux Malware Infects All Running Processes

Intezer Labs security researchers have identified a sophisticated new malware that targets Linux devices. Dubbed OrBit, the malware can gain persistence quickly, evade detection and hide its presence in network activity by manipulating logs.

The module hooks functions called in shared libraries, which is pretty common for malware, but it also implements “advanced evasion techniques” and “remote capabilities over SSH.”

The security lab concluded that Linux threats “continue to evolve while successfully staying under the radar of security tools, now OrBit is one more example of how evasive and persistent new malware can be.”

See the Best Open Source Security Tools

OrBit Malware Details

OrBit extracts the output of executed commands in specific files on the targeted machine. Intezer researchers named it after one of the filenames used by the malware.

It accepts arguments to customize the installation path and other configurations such as payload content. OrBit has two installation modes: /lib/ for persistence and /dev/shm/ (shim-memory) for volatile.

Intezer published IoCs (indicators of compromise) for security teams and defenders. The dropper prepares the environment and writes Python scripts that interact with the filesystem to deliver the payload and execute it with high privileges. It also uses the environment variable LD_PRELOAD to hijack shared libraries. This approach can be found in other Linux malware, such as Symbiote.

According to Intezer, OrBit loads its malicious library in two different ways:

  1. By adding the shared object to the configuration file that is used by the loader
  2. And by patching the binary of the loader itself so it will load the malicious shared object.

Placing shared objects (e.g. libdl.so) in specific paths allows hooking functions from three libraries: libc, libcap and Pluggable Authentication Module (PAM). Because these functions are used by existing processes, the malware can spread around the machine, evade detection, and set remote access.

Orbit goes beyond other approaches by implementing “an extensive usage of files.” Indeed, it stores stolen data in specific files on the targeted machine, which is pretty new, according to the researchers.

Stealth Malware Infects Entire Machine

The module “hooks multiple functions to prevent them from outputting information that might reveal the existence of the malicious shared library in the running processes or the files that are being used,” the researchers wrote.

The malware uses a custom numeric value (GID) set by the dropper to identify its own files and processes: “if it doesn’t match the hardcoded value, all of the directories with the predefined GID value will be omitted from the function’s output.”

This cautious approach lets the malware stay under the radar of most classic security tools. OrBit is not the first malware that focuses on evasion. BPFDoor, another Linux malware, uses the names of common Linux daemons to remain undetected (see image below).

However, by hooking functions in the Linux Pluggable Authentication Module to steal information from SSH connections, attackers can gain remote access while hiding network activity.

See the Best Network Monitoring Tools

OrBit Can Optimize Persistence

The malware is hard to remove while the machine is running. Intexer explained that’s because of the two methods used to achieve persistence “in case one of them goes away.”

First, it adds the path to the malware into the /etc/ld.so.preload configuration file to ensure the malware is loaded first and for all new processes. As this method will fail if the configuration file gets removed, the second method consists of copying the binary of the loader itself and patching it if the config file is not found on the system.

Whether administrators delete the file or restore the original version, the malware will either recreate or repatch it.

In addition, the malware can monitor its own network activity and filter its own traffic. To achieve that, it hooks functions such as bind, connect, or pcap_packet_callback to log IP addresses and ports in the .ports file within the malware folder.

See the Top Vulnerability Management Tools

Linux Endpoints Increasingly Targeted by Malware

It’s a common misbelief to consider Linux more secure by nature than other operating systems. Because it’s prevalent in most cloud-based architecture and pretty common in enterprises, it’s attractive for hackers, and it does require monitoring.

Obviously, classic antivirus software won’t catch threats like OrBit that are specifically meant to evade them. Threat actors behind the malware seem to master Linux internals, as you would expect from such hackers, and their approach might inspire other groups. Some security vendors have updated their mapping after Intezer’s publication, but others are still not detecting the threat.

Read next: Top Endpoint Detection & Response (EDR) Solutions

Julien Maury
Julien Maury
Julien Maury is a backend developer, a mentor and a technical writer. He loves sharing his knowledge and learning new concepts.

Top Products

Related articles