OrBit: Undetected Linux Malware

A recently identified Linux malware is being used to secretly access backdoor Linux computers, steal information, and infect all processes. By establishing persistence on the infected systems, the virus can either be implanted as a volatile implant or removed completely. To remain persistent on the infected systems, the malware employs cutting-edge evasion strategies and hooks crucial functions. OrBit collects passwords, logs TTY commands, and enables operators to gain remote access capabilities via SSH.

“Once the malware is deployed, it will infect every process that is currently executing on the machine, including new processes,” says the security expert. This malware uses 2 different methods to load the malicious library, in contrast to other threats that steal shared libraries by altering the environment variable LD_PRELOAD. The shared object can be added to the configuration file used by the loader as the first method. The second method entails altering the loader’s binary such that it will load the malicious shared object. For instance, after it injects into an active process, OrBit might alter its output to suppress any logs that might reveal its presence.

According to Nicole Fishbein of Intezer Labs, a security researcher, “the virus employs clever evasion techniques and gains persistence on the machine by hooking essential functionalities, gives the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands.”

Once the virus is deployed, it will infect every process that is currently executing on the machine, including new processes. Although antivirus engines had no way of detecting OrBit’s dropper and payload when the malware was initially discovered, certain anti-malware manufacturers have since modified their programmes to alert users of its existence.

The recently discovered Symbiote malware, which is intended to infect all running programmes on infected devices, have similarities, according to experts.

OrBit uses two alternative techniques to load the shared object, in contrast to Symiote, which relies on the LD_PRELOAD environment variable. The shared object is added to the configuration file used by the loader in the first technique, and the loader’s binary is modified in the second to load the malicious shared object.

A shared object (.SO file) that contains the malicious payload can be stored either permanently in persistent storage, like /lib/libntpVnQE6mk/, or temporarily in shim memory under /dev/shm/ldx/. The danger will become persistent if the payload is placed in the first path; otherwise, it is volatile.

The ELF dropper that extracts the payload (“libdl.so”) and inserts it to the shared libraries that are loaded by the dynamic linker initiates the attack chain.

The Pluggable Authentication Module, libc, and libcap are three libraries that the shared object hooks functions from (PAM). The malware will be able to infect the entire computer, harvest credentials, evade detection, acquire persistence, and grant remote access to the attackers by effectively using the modified functions in existing processes that use them as well as new processes that are hooked with the malicious library. the experts go on.

The malware stands out for its nearly hermetic library hooking, the scientists noted. Linux threats are continually evolving; recently, researchers discovered more sophisticated Linux malware in the field, including Symbiote and Syslogk.

 

Remediation action

  • Regularly update your software.
  • By protecting important data with a backup and varying the storage media, single points of failure can be eliminated.
  • Implement a Zero Trust security policy and restrict user access.
  • For the purpose of limiting and regulating access to information and resources, configure Linux security extensions.
  • To limit the impact of a potential ransomware attack, segment your network.
  • Make use of a Secure Email Gateway (SEG) programme.
  • Install a malware-detecting application.
  • Adopt a policy for secure passwords.
  • Make a policy for secure email.
  • Inform your employees of the dangers and risks posed by ransomware.
  • Create a plan for network monitoring.
  • Conduct penetration tests and vulnerability assessments.
  • Examine event logs frequently to spot odd behavior.
  • Immutable backups should be included to system backups.