Security News > 2022 > July > Sneaky Orbit Malware Backdoors Linux Devices
A sneaky malware for Linux is backdooring devices to steal data and can affect all the processes running on a particular machine, researchers have found.
Orbit can either achieve persistence on a machine or be installed as volatile implant, Intezer's Nicole Fishbein explained in a blog post on Orbit published this week.
Typically, existing Linux threats such as Symbiote and HiddenWasp hijack shared Linux libraries by modifying the environment variable LD PRELOAD. Orbit works differently using two different ways to load the malicious library, Fishbein wrote.
Specifically, Orbit uses XOR encrypted strings and steals passwords, tactics that are similar to other Linux backdoors already reported by researchers at ESET, Fishbein wrote.
Orbit loads onto a Linux machine or device via a dropper that not only installs the payload but also prepares the environment for the malware execution.
"The malware uses a hardcoded GID value to identify the files and processes that are related to the malware and based on that it will manipulate the behavior of the hooked functions," Fishbein wrote.
News URL
https://threatpost.com/sneaky-malware-backdoors-linux/180158/
Related news
- New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking (source)
- Linux malware “perfctl” behind years-long cryptomining campaign (source)
- Linux systems targeted with stealthy “Perfctl” cryptomining malware (source)
- New FASTCash malware Linux variant helps steal money from ATMs (source)
- New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)
- Researchers unearth two previously unknown Linux backdoors (source)
- Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor (source)
- Chinese hackers target Linux with new WolfsBane malware (source)