A malware for Linux is ‘back-dooring’ devices to steal data & can affect all the processes running on a particular machine, researchers have concluded.
The threat steals data & can affect all processes running on the OS, stealing information from different commands & utilities, & then storing it on the affected machine.
The malware, dubbed Orbit, is unlike other Linux threats because it steals information from different commands & utilities, & then stores them in specific files on the machine, researchers from security automation firm Intezer discovered.
Executed Commands
The malware’s name comes from one of the filenames it to temporarily store the output of executed commands, they stated.
Orbit can either achieve persistence on a machine or be installed as volatile implant, Intezer’s Nicole Fishbein explained in a blog post on Orbit published this week.
The malware sets itself apart from similar threats is its “almost hermetic hooking” of libraries on the targeted machines, which allows it to gain persistence & evade detection while stealing information & setting SSH backdoor, she explained.
Evasion Techniques
“The malware implements advanced evasion techniques & gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, & logs TTY commands,” Fishbein wrote.
Once Orbit is installed, it infects all of the running processes on the machine, including new ones, she outlined.
Setting Itself Apart
Typically, existing Linux threats such as Symbiote & Hidden Wasp hijack shared Linux libraries by modifying the environment variable LD_PRELOAD. Orbit works differently, however, using 2 separate ways to load the malicious library, Fishbein wrote.
“The 1st way is by adding the shared object to the configuration file that is used by the loader,” she explained in the post. “The 2nd way is by patching the binary of the loader itself so it will load the malicious shared object.”
Specifically, Orbit uses XOR encrypted strings & steals passwords, tactics that are similar to other Linux backdoors already reported by researchers at ESET, Fishbein wrote.
That is where the similarity with how those backdoors hijack libraries ends, she suggested. Orbit goes a step further by not only stealing info from different commands & utilities but implementing “an extensive usage of files” for storing the stolen data, something researchers have not seen before, Fishbein wrote.
Installation & Execution
Orbit loads onto a Linux machine or device via a dropper that not only installs the payload but also prepares the environment for the malware execution.
To install the payload & add it to the shared libraries that are being loaded by the dynamic linker, the dropper calls a function called patch_ld & then the symbolic link of the dynamic linker /lib64/ld-linux-x86-64.so.2.
The latter is done to check if the malicious payload is already loaded by searching for the path used by the malware, researchers explained.
Payload is Found
If the payload is found, the function can swap it with the other location, they noted. Otherwise, the dropper looks for /etc/ld.so.preload & replaces it with a symbolic link to the location of malicious library: /lib/libntpVnQE6mk/.l or /dev/shm/ldx/.l, depending on the argument passed to the dropper.
Lastly, the dropper will append /etc/ld.so.preload to the end of the temp file to make sure that the malicious library will be loaded 1st, researchers said.
The payload itself is a shared object (.SO file) that can be placed either in persistent storage or in shim-memory. “If it’s placed in the 1st path the malware will be persistent, otherwise it is volatile,” Fishbein wrote.
3 Libraries
The shared object hooks functions from 3 libraries–libc, libcap & Pluggable Authentication Module (PAM). When this is done, the existing processes that use these functions will basically use the modified functions, & new processes will be linked with the malicious library as well, researchers found.
This hooking allows the malware to infect the whole machine & harvest credentials, evade detection, gain persistence, & provide remote access to the attackers, Fishbein wrote.
Evasion Tactics
Orbit also hooks multiple functions as its strategy to evade detection, thus preventing them from releasing information that might reveal the existence of the malicious shared library either in the running processes or the files in use by Orbit, researchers noted.
“The malware uses a hardcoded GID value (the 1 set by the dropper) to identify the files & processes that are related to the malware & based on that it will manipulate the behaviour of the hooked functions,” Fishbein wrote. In Linux, a GID is a numeric value used to represent a specific group.
Functionality
As an example of this functionality, Orbit hooks readdir—a Linux function that returns a pointer to a direct structure describing the next directory entry in the directory stream associated with dirp–to check the GID of the calling process, she explained.
“If it doesn’t match the hardcoded value, all of the directories with the predefined GID value will be omitted from the function’s output,” Fishbein wrote.
