Security News > 2022 > July > Sneaky Orbit Malware Backdoors Linux Devices
A sneaky malware for Linux is backdooring devices to steal data and can affect all the processes running on a particular machine, researchers have found.
Orbit can either achieve persistence on a machine or be installed as volatile implant, Intezer's Nicole Fishbein explained in a blog post on Orbit published this week.
Typically, existing Linux threats such as Symbiote and HiddenWasp hijack shared Linux libraries by modifying the environment variable LD PRELOAD. Orbit works differently using two different ways to load the malicious library, Fishbein wrote.
Specifically, Orbit uses XOR encrypted strings and steals passwords, tactics that are similar to other Linux backdoors already reported by researchers at ESET, Fishbein wrote.
Orbit loads onto a Linux machine or device via a dropper that not only installs the payload but also prepares the environment for the malware execution.
"The malware uses a hardcoded GID value to identify the files and processes that are related to the malware and based on that it will manipulate the behavior of the hooked functions," Fishbein wrote.
News URL
https://threatpost.com/sneaky-malware-backdoors-linux/180158/
Related news
- Hackers use PHP exploit to backdoor Windows systems with new malware (source)
- Stealthy 'sedexp' Linux malware evaded detection for two years (source)
- New Linux Malware 'sedexp' Hides Credit Card Skimmers Using Udev Rules (source)
- New Tickler malware used to backdoor US govt, defense orgs (source)
- New Tickler malware used to backdoor US govt, defense orgs (source)
- GeoServer Vulnerability Targeted by Hackers to Deliver Backdoors and Botnet Malware (source)
- 'Hadooken' Linux malware targets Oracle WebLogic servers (source)
- New Linux Malware Campaign Exploits Oracle Weblogic to Mine Cryptocurrency (source)
- New Linux malware Hadooken targets Oracle WebLogic servers (source)