recently identified Linux malware is being used to secretly access backdoored Linux computers, steal information, and infect all active processes.
OrBit is malware that hijacks shared libraries to intercept function calls by changing the LD PRELOAD environment variable on affected machines, according to the security researchers at Intezer Labs who discovered it first.
OrBit can be made persistent using two distinct techniques to thwart removal efforts, but it can also be made volatile by being replicated in shim memory.
In order to avoid detection, manipulate process behavior, ensure persistence by infecting fresh processes, and conceal network activity that would point to its presence, it can also hook a variety of functions.
For instance, after it injects into an active process, OrBit might alter its output to suppress any logs that might reveal its presence.
According to Nicole Fishbein of Intezer Labs, a security researcher, “the virus employs clever evasion techniques and gains persistence on the machine by hooking essential functionalities, gives the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands.”
“Once the virus is deployed, it will infect every process that is currently executing on the machine, including new processes,” says the security expert.
Despite the fact that OrBit’s dropper and payload components were initially totally undetectable by antivirus engines, certain anti-malware providers have since modified their programs to alert users of its presence.
Rising Linux Malware?
OrBit is not the only extremely elusive Linux malware that has lately come to light and is capable of using similar techniques to completely corrupt and backdoor devices.
In order to function as a system-wide parasite and conceal its infection, Symbiote additionally loads itself into active processes using the LD PRELOAD directive.
Another piece of malware recently discovered that targets Linux systems, BPFDoor, hides itself by adopting the names of popular Linux daemons, which allowed it to go unnoticed for more than five years.
Both of these strains monitor and modify network traffic using Berkeley Packet Filter (BPF) hooking capability, which aids in hiding their communication paths from security measures.
A third piece of Linux malware called Syslogk, a rootkit that is actively being developed, can force-load its own modules into the Linux kernel, backdoor vulnerable machines, and conceal directories and network activity to avoid detection. It was discovered by Avast researchers last month.
OrBit still has certain unique capabilities that set it apart from other threats, despite not being the first or most inventive malware outbreak to target Linux in recent times.
“This malware collects data from various commands and tools and stores it in particular files on the system. Additionally, files are being used extensively to store data, which was previously unheard of “Fishbein threw in.
The virtually hermetic hooking of libraries on the target machine, which enables the virus to gain persistence and elude detection while stealing information and creating an SSH backdoor, is what makes this malware particularly intriguing.
