Affected by the new rootkit Linux (opens in new tab) discovered a system capable of both downloading and hiding malware.
As cybersecurity researchers from Avast have shown, rootkit malware (opens in new tab)called Syslogk, based on an old open source rootkit called Adore-Ng.
It is also at a relatively early stage of (active) development, so whether or not to become a full-scale threat remains to be seen.
When Syslogk loads, it first removes its entry from the list of installed modules, which means the only way to detect it is through an open interface in the / proc file system. In addition to hiding from manual scanning, it is also capable of hiding directories that contain released malware, hide processes, and network traffic.
But perhaps most importantly – it can remotely start or stop payloads.
One such payload discovered by Avast researchers is called ELF: Rekoob, or better known as Rekoobe. This malware is a backdoor trojan written in C. Syslogk may reset it to compromised end point (opens in new tab)and then keep it at rest until it receives a “magic package” from malware operators. The magic pocket can both run and stop malware.
“We’ve noticed that the Syslogk rootkit (and the Rekoobe payload) work well for covert use with a fake SMTP server,” Avast said in a blog post. “Think how hidden it can be; a backdoor that does not load until some magic packets are sent to the machine. When requested, it appears to be a legitimate service, hidden in memory, hidden on disk, remotely “magically” executed, hidden online. Even if it is found while scanning the network port, it is still a legitimate SMTP server. ”
Rekoobe itself is based on TinyShell, BleepingComputer explains, which is also open source and widely available. It is used to execute commands, which means that this is where the damage is done – the threat subjects use Rekoobe to steal files, steal sensitive information, seize accounts, etc.
Malware is also easier to detect at this point, which means scammers need to be especially careful when deploying and launching the second stage of their attack.
Through: BleepingComputer (opens in new tab)