A new Linux rootkit malware named ‘Syslogk’ is being used in attacks to hide malicious processes, using specially crafted "magic packets" to awaken a backdoor laying dormant on the device.
The malware is currently under heavy development, and its authors appear to base their project on Adore-Ng, an old open-source rootkit.
Syslogk can force-load its modules into the Linux kernel (versions 3.x are supported), hide directories and network traffic, and eventually load a backdoor called ‘Rekoobe.’
Using magic packets to load backdoor
Linux rootkits are malware installed as kernel modules in the operating system. Once installed, they intercept legitimate Linux commands to filter out information that they do not want to be displayed, such as the presence of files, folders, or processes.
Similarly, when first loaded as a kernel module, Syslogk will remove its entry from the list of installed modules to evade manual inspection. The only sign of its presence is an exposed interface in the /proc file system.
Additional functions in the rootkit allow it to hide directories containing the malicious files it drops on the host, hide processes, hide network traffic, inspect all TCP packets, and remotely start or stop payloads.
One of the hidden payloads discovered by Avast is a Linux backdoor named Rekoobe. This backdoor will lay dormant on a compromised machine until the rootkit receives a "magic packet" from the threat actors.
Similar to Wake on LAN magic packets, used to wake devices that are in sleep mode, Syslogk will listen for specially constructed TCP packets that include special “Reserved” field values, “Source Port” numbering, “Destination Port” and “Source Address” matches, and a hardcoded key.
When the proper magic packet is detected, Syslogks will start or stop the backdoor as instructed by remote threat actors, drastically minimizing its chances of detection.
“We observed that the Syslogk rootkit (and Rekoobe payload) perfectly align when used covertly in conjunction with a fake SMTP server.
Consider how stealthy this could be; a backdoor that does not load until some magic packets are sent to the machine. When queried, it appears to be a legitimate service hidden in memory, hidden on disk, remotely ‘magically’ executed, hidden on the network. Even if it is found during a network port scan, it still seems to be a legitimate SMTP server.” - Avast.
Rekoobe is loaded onto the user-mode space where detections are not as complex or unlikely as they are for Syslogk on kernel mode, so being more careful with its loading is crucial for its success.
Rekoobe is based on TinySHell, another open-source and widely available software, and its purpose is to give the attacker a remote shell on the compromised machine.
This means that Rekoobe is used for executing commands, so the repercussions reach ultimate levels, including information disclosure, data exfiltration, file actions, account takeover, and more.
Should you be worried?
The Syslogk rootkit is another example of highly-evasive malware for Linux systems added on top of the recently spotted Symbiote and BPFDoor, which both use the BPF system to monitor network traffic and dynamically manipulate it.
Linux systems aren’t prevalent among regular users, but they support some of the most valuable corporate networks out there, so threat actors are putting in the time and effort to develop custom malware for the architecture.
In the case of Syslogk, the project is in an early development phase, so whether or not it will become a widespread threat is uncertain at this time. However, considering its stealthiness, it will likely continue pushing new and improved versions.
The most dangerous development would be for Syslogk to release a version that supports more recent Linux kernel versions, which would greatly widen the targeting scope at once.