Researchers have discovered a devious malware for Linux: backdooring devices and stealing data. The malware can alter the overall functioning of any device that it gets into. Popularly known as Orbit, the malware works differently from regular Linux threats.
The malware has the capacity to steal information from multiple commands and utilities and store them in separate files on the same machine, according to researchers and cyber security experts from an automation company, Intezer. The name of the malware originates from one of the filenames it creates to temporarily data from executed commands.
According to Nicole Fishbein from Intezer, the malware works uniquely, setting it apart from commonly known malware. “This malware works in a mysterious manner that makes it almost impossible to be detected while stealing information. It sets SSH backdoor on devices and replicates itself in different machines”, said Fishbein.
The malware deploys sophisticated evasion techniques and acquires persistence on machines by hooking up primary functions. This allows threat actors to operate the device remotely via SSH, collect credentials, and log TTY commands. “Once the malware has been installed on a computer, it infects every running program on that machine. This makes it hard to change anything or retrieve files that have been encrypted”, she added.
Orbit malware gets into a Linux machine through a dropper that installs the payload and creates a favorable environment for the execution of the malware. The dropper uses a function referred to as patch_ld to install itself to the shared libraries. If the payload already exists, the function can swap it with the desired file.
A payload is a sharable object that can be put in either a shim-memory or persistent storage. According to Fishbein, the malware will be persistent if it is placed in persistent storage. This hooking enables the malware to infect the entire computer and collect credentials, avoid detection, offer attackers remote access to the computer and gain persistence.
According to IT researchers, Orbit malware also works by hooking several functions to evade detection. This prevents it from discharging information that might give a clue to the existence of a malicious library in a machine. “The malware utilizes a hardcoded GID value to detect files and processes that are associated with the malware. Based on that, it can manipulate the way hooked functions operate”, wrote Fishbein. GID is a numeric value used by Linux to represent a particular group.
Cyber security experts have warned Linux users to watch out for any signs of malware. They believe that hackers will continue to explore vulnerabilities in Linux machines to infect the malware and harvest credentials.