This new Linux rootkit malware is already targeting victims

The rootkit may not be a major threat yet, but it is growing

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A new rootkit affectingLinuxsystems has been discovered that is capable of both loading, and hiding, malicious programs.

As revealed by cybersecurity researchers from Avast, the rootkitmalware, called Syslogk, is based on an old, open-sourced rootkit called Adore-Ng.

It’s also in a relatively early stage of (active) development, so whether or not it evolves into a full-blown threat, remains to be seen.

Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at theend of this surveyto get the bookazine, worth $10.99/£10.99.

When the Syslogk loads, it first removes its entry from the list of installed modules, meaning the only way to spot it is through an exposed interface in the /proc file system. Besides hiding itself from manual inspection, it is also capable of hiding directories that host the dropped malware, hiding processes, as well asnetwork traffic.

But perhaps most importantly - it can remotely start or stop payloads.

Enter Rekoobe

One such payload that was discovered by Avast’s researchers is called ELF:Rekoob, or more widely known as Rekoobe. This malware is a backdoor trojan written in C. Syslogk can drop it on the compromisedendpoint, and then have it lay dormant until it receives a “magic packet” from the malware’s operators. The magic pocket can both start, and stop the malware.

“We observed that the Syslogk rootkit (and Rekoobe payload) perfectly align when used covertly in conjunction with a fake SMTP server,” Avast explained in a blog post. “Consider how stealthy this could be; a backdoor that does not load until some magic packets are sent to the machine. When queried, it appears to be a legitimate service hidden in memory, hidden on disk, remotely ‘magically’ executed, hidden on the network. Even if it is found during a network port scan, it still seems to be a legitimate SMTP server.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Linux malware is booming, so stay secure, Microsoft warns>Malware targeting Linux systems hit a new high in 2021>Sneaky Linux malware hides behind events scheduled to run on February 31

Rekoobe itself is based on TinyShell,BleepingComputerexplains, which is also open-source and widely available. It is used to execute commands, meaning this is where the damage gets dealt - threat actors use Rekoobe to steal files, exfiltrate sensitive information, take over accounts, etc.

The malware is also easier to detect at this point, meaning crooks need to be extra careful when deploying and running the second stage of their attack.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Scotland vs South Africa live stream: how to watch 2024 rugby union Autumn International online from anywhere