Home
Artists
Search Recent Random
Posts
Search DMs Popular Hash Lookup Tags Random
Importer
Import FAQ
Register
Partychan Telegram Live Sex ThePornDude
Home Artists Posts Import Register

Linux Has A Terrible, Horrible, No Good, Very Bad Week - Threatwire (Patreon)

Published:
2022-06-22 03:02:46
Imported:
2022-11

Downloads

Content

By Shannon Morse, ThreatWire

Linux has been hit with a slew of attacks in the last week including ones dubbed  Panchan P2P, which is a botnet that spreads using stolen SSH keys and is used to install cryptomining malware… Symbiote, a Linux backdoor discovered back in November that is used to infect financial institutions and stays very well hidden… and Syslogk, the newest one that I’ll be talking about here.

Syslogk is a Linux kernel rootkit based on Adore-Ng, and has been found in the wild under development. It hides a malicious payload within it that is triggered remotely by an attacker when it sees a specially crafted network traffic packet.  Adore-Ng is an open source rootkit that’s been around since 2004, and gives attackers the ability to hide processes and modules while they gain full control over an infected machine.

Syslogk hides itself from networking tools like netstat, while it inspects TCP packets to find a source port number of 59318, which triggers it to launch malware called Rekoobe. This malware is a fake SMTP server and it creates a shell once it receives a special command. The attacker, from any remote location, can send the specifically crafted TCP packets to trigger the malware to start up the backdoor shell, giving them access to the infected machine and network. The attacker can also send a command to close the backdoor as well at anytime.

According to Avast, who discovered this attack, “These are known as magic packets because they have a special format and special powers. In this implementation, an attacker can trigger actions without having a listening port in the infected machine such that the commands are, in some way, ‘magically’ executed in the system. [...] Even if it is found during a network port scan, it still seems to be a legitimate SMTP server.”

Currently this malware only works on older versions of the Linux kernel but since it is under active development, that could change. Avast also warns that kernel rootkits are harder to detect because they run on a privileged layer so system admins should be aware of these potential attacks and take proper steps to protect systems.

ThreatWire Totem Board - Limited Edition! - https://snubsie.com/threatwire-products/tw-totem

LINKS:

https://thehackernews.com/2022/06/panchan-new-golang-based-peer-to-peer.html
https://arstechnica.com/information-technology/2022/06/novel-techniques-in-never-before-seen-linux-backdoor-make-it-ultra-stealthy/
https://github.com/yaoyumeng/adore-ng
https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/
https://thehackernews.com/2022/06/new-syslogk-linux-rootkit-lets.html
https://www.zdnet.com/article/this-new-linux-malware-is-almost-impossible-to-detect/

Comments

No comments found for this post.