OrBit: Undetected Linux Malware

July 15, 2022

A recently identified Linux malware is being used to secretly access backdoor Linux computers, steal information, and infect all processes. By establishing persistence on the infected systems, the virus can either be implanted as a volatile implant or removed completely. To remain persistent on the infected systems, the malware employs cutting-edge evasion strategies and hooks crucial functions. OrBit collects passwords, logs TTY commands, and enables operators to gain remote access capabilities via SSH.

“Once the malware is deployed, it will infect every process that is currently executing on the machine, including new processes,” says the security expert. This malware uses 2 different methods to load the malicious library, in contrast to other threats that steal shared libraries by altering the environment variable LD_PRELOAD. The shared object can be added to the configuration file used by the loader as the first method. The second method entails altering the loader’s binary such that it will load the malicious shared object. For instance, after it injects into an active process, OrBit might alter its output to suppress any logs that might reveal its presence.

According to Nicole Fishbein of Intezer Labs, a security researcher, “the virus employs clever evasion techniques and gains persistence on the machine by hooking essential functionalities, gives the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands.”

Once the virus is deployed, it will infect every process that is currently executing on the machine, including new processes. Although antivirus engines had no way of detecting OrBit’s dropper and payload when the malware was initially discovered, certain anti-malware manufacturers have since modified their programmes to alert users of its existence.

The recently discovered Symbiote malware, which is intended to infect all running programmes on infected devices, have similarities, according to experts.

OrBit uses two alternative techniques to load the shared object, in contrast to Symiote, which relies on the LD_PRELOAD environment variable. The shared object is added to the configuration file used by the loader in the first technique, and the loader’s binary is modified in the second to load the malicious shared object.

A shared object (.SO file) that contains the malicious payload can be stored either permanently in persistent storage, like /lib/libntpVnQE6mk/, or temporarily in shim memory under /dev/shm/ldx/. The danger will become persistent if the payload is placed in the first path; otherwise, it is volatile.

The ELF dropper that extracts the payload (“libdl.so”) and inserts it to the shared libraries that are loaded by the dynamic linker initiates the attack chain.

The Pluggable Authentication Module, libc, and libcap are three libraries that the shared object hooks functions from (PAM). The malware will be able to infect the entire computer, harvest credentials, evade detection, acquire persistence, and grant remote access to the attackers by effectively using the modified functions in existing processes that use them as well as new processes that are hooked with the malicious library. the experts go on.

The malware stands out for its nearly hermetic library hooking, the scientists noted. Linux threats are continually evolving; recently, researchers discovered more sophisticated Linux malware in the field, including Symbiote and Syslogk.

Remediation action

Regularly update your software.
By protecting important data with a backup and varying the storage media, single points of failure can be eliminated.
Implement a Zero Trust security policy and restrict user access.
For the purpose of limiting and regulating access to information and resources, configure Linux security extensions.
To limit the impact of a potential ransomware attack, segment your network.
Make use of a Secure Email Gateway (SEG) programme.
Install a malware-detecting application.
Adopt a policy for secure passwords.
Make a policy for secure email.
Inform your employees of the dangers and risks posed by ransomware.
Create a plan for network monitoring.
Conduct penetration tests and vulnerability assessments.
Examine event logs frequently to spot odd behavior.
Immutable backups should be included to system backups.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

OrBit: Undetected Linux Malware

Security Team

Related Posts

Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor

Microsoft Launches Windows Resiliency Initiative to Boost Security and System Integrity

Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign

Our Offices

Corporate Office (HO):

UK Office:

Registered Office (Delhi):

Noida Office:

Phone:

Email

Click To Download

Download CyberSRC Services & Portfolio & Datasheets

Download Case Studies

Download Company Brochure