Communications of the ACM
Linux Malware Has a Sneaky Way of Staying Hidden
Rekoobe malware has been used by the group APT31 or what Microsoft calls Zirconium, a China state-sponsored threat actor.
Credit: Getty
Researchers at the software firm Avast have discovered the Syslogk Linux rootkit, which delivers a backdoor trojan, called Rekoobe, that is kept hidden on the targeted machine until triggered when a remote attacker transmits "magic packets."
Syslogk is mainly based on the Chinese open-source kernel rootkit for Linux, known as Adore-Ng, but adds new functionalities to make it harder to detect the user-mode application and the kernel rootkit.
The researchers believe the Chinese state-sponsored threat actor APT31, called Zirconium by Microsoft, developed Rekoobe and Syslogk to operate hand-in-hand.
The researchers said, "Instead of continuously running the payload, it is remotely started or stopped on demand by sending specially crafted network traffic packets."
They added, "In this implementation, an attacker can trigger actions without having a listening port in the infected machine such that the commands are, in some way, 'magically' executed in the system."
From ZDNet
View Full Article
Abstracts Copyright © 2022 SmithBucklin, Washington, DC, USA
No entries found