A sneaky malware for Linux is backdooring devices to steal data and can affect all the processes running on a particular machine, researchers have found.
The malware, dubbed Orbit, is unlike other Linux threats in that it steals information from different commands and utilities and then stores them in specific files on the machine, researchers from security automation firm Intezer discovered. In fact, the malware’s name comes from one of the filenames it to temporarily store the output of executed commands, they said.
Orbit can either achieve persistence on a machine or be installed as volatile implant, Intezer’s Nicole Fishbein explained in a blog post on Orbit published this week.
The malware sets itself apart from similar threats is its “almost hermetic hooking” of libraries on the targeted machines, which allows it to gain persistence and evade detection while stealing information and setting SSH backdoor, she said.
“The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands,” Fishbein wrote in the post.
Moreover, once Orbit is installed, it infects all of the running processes on the machine, including new ones, she said.
Setting Itself Apart
Typically, existing Linux threats such as Symbiote and HiddenWasp hijack shared Linux libraries by modifying the environment variable LD_PRELOAD. Orbit works differently, however, using two different ways to load the malicious library, Fishbein wrote.
“The first way is by adding the shared object to the configuration file that is used by the loader,” she explained in the post. “The second way is by patching the binary of the loader itself so it will load the malicious shared object.”
Specifically, Orbit uses XOR encrypted strings and steals passwords, tactics that are similar to other Linux backdoors already reported by researchers at ESET, Fishbein wrote.
But that’s where the similarity with how those backdoors hijack libraries ends, she said. Orbit goes a step further by not only stealing info from different commands and utilities, but implementing “an extensive usage of files” for storing the stolen data, something researchers have not seen before, Fishbein wrote.
Installation and Execution
Orbit loads onto a Linux machine or device via a dropper that not only installs the payload but also prepares the environment for the malware execution.
To install the payload and add it to the shared libraries that are being loaded by the dynamic linker, the dropper calls a function called patch_ld and then the symbolic link of the dynamic linker /lib64/ld-linux-x86-64.so.2. The latter is done to check if the malicious payload is already loaded by searching for the path used by the malware, researchers said.
If the payload is found, the function can swap it with the other location, they noted. Otherwise, the dropper looks for /etc/ld.so.preload and replaces it with a symbolic link to the location of malicious library: /lib/libntpVnQE6mk/.l or /dev/shm/ldx/.l, depending on the on the argument passed to the dropper.
Lastly, the dropper will append /etc/ld.so.preload to the end of the temp file to make sure that the malicious library will be loaded first, researchers said.
The payload itself is a shared object (.SO file) that can be placed either in persistent storage or in shim-memory. “If it’s placed in the first path the malware will be persistent, otherwise it is volatile,” Fishbein wrote.
The shared object hooks functions from three libraries–libc, libcap and Pluggable Authentication Module (PAM). Once this is done, the existing processes that use these functions will essentially use the modified functions, and new processes will be hooked with the malicious library as well, researchers found.
This hooking allows the malware to infect the whole machine and harvest credentials, evade detection, gain persistence, and provide remote access to the attackers, Fishbein wrote.
Evasion Tactics
Orbit also hooks multiple functions as its strategy to evade detection, thus preventing them from releasing information that might reveal the existence of the malicious shared library either in the running processes or the files in use by Orbit, researchers noted.
“The malware uses a hardcoded GID value (the one set by the dropper) to identify the files and processes that are related to the malware and based on that it will manipulate the behavior of the hooked functions,” Fishbein wrote. In Linux, a GID is a numeric value used to represent a specific group.
As an example of this functionality, Orbit hooks readdir—a Linux function that returns a pointer to a dirent structure describing the next directory entry in the directory stream associated with dirp–to check the GID of the calling process, she explained.
“If it doesn’t match the hardcoded value, all of the directories with the predefined GID value will be omitted from the function’s output,” Fishbein wrote.