Security News > 2022 > June > New Syslogk Linux rootkit uses magic packets to trigger backdoor
A new Linux rootkit malware named 'Syslogk' is being used in attacks to hide malicious processes, using specially crafted "Magic packets" to awaken a backdoor laying dormant on the device.
Syslogk can force-load its modules into the Linux kernel, hide directories and network traffic, and eventually load a backdoor called 'Rekoobe.
Similar to Wake on LAN magic packets, used to wake devices that are in sleep mode, Syslogk will listen for specially constructed TCP packets that include special "Reserved" field values, "Source Port" numbering, "Destination Port" and "Source Address" matches, and a hardcoded key.
"Consider how stealthy this could be; a backdoor that does not load until some magic packets are sent to the machine. When queried, it appears to be a legitimate service hidden in memory, hidden on disk, remotely 'magically' executed, hidden on the network. Even if it is found during a network port scan, it still seems to be a legitimate SMTP server." - Avast.
The Syslogk rootkit is another example of highly-evasive malware for Linux systems added on top of the recently spotted Symbiote and BPFDoor, which both use the BPF system to monitor network traffic and dynamically manipulate it.
The most dangerous development would be for Syslogk to release a version that supports more recent Linux kernel versions, which would greatly widen the targeting scope at once.