Researchers have discovered a new evasive and persistent Linux malware dubbed OrBit.
According to new research by security firm Intezer, the new malware can infect running processes and steal information from backdoored Linux systems.
“The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands. Once the malware is installed it will infect all of the running processes, including new processes, that are running on the machine,” Nicole Fishbein of Intezer explained in a blog post.
OrBit consists of a dropper and payload. The dropper first installs the malicious payload and prepares the system for the malware execution. The payload is a shared object (.SO file) that can be placed either in persistent storage or in volatile shim-memory.
The shared object hooks functions from three libraries (libc, libcap and Pluggable Authentication Module (PAM)). As a result, processes would then use the modified functions and malicious libraries, which can allow “the malware to infect the whole machine and harvest credentials, evade detection, gain persistence and provide remote access to the attackers.”
In addition, OrBit is also capable of setting up remote connections to infected system by hooking three PAM functions.
“By hooking these functions the malware is capable of stealing information from SSH connections and providing remote access to the attackers and hiding the network activity,” Fishbein added.
OrBit also uses XOR encrypted strings and can steal passwords and information from different commands and utilities. The stolen data can then be stored in specific files on in the infected system.
These methods are also different from the other malware threats that loads a shared library using LD_PRELOAD (as observed in previous Symbiote malware cyber attacks).
In conclusion, OrBit is yet another example of an evolving, persistent Linux malware threat that can stealthily evade from security tools.