Posted on 07/08/2022 10:34:58 AM PDT by ShadowAce
A newly uncovered form of Linux malware creates a backdoor into infected machines and servers, allowing cyber criminals to secretly steal sensitive information while also maintaining persistence on the network.
Detailed by cybersecurity researchers at Intezer, the previously undetected malware has been called Orbit after filenames it used to temporarily store the output of executed commands.
Linux is a popular operating system for servers and cloud infrastructure, which makes it a tempting target for cyber criminals.
Orbit malware provides cyber criminals with remote access to Linux systems, allowing them to steal usernames and passwords and log TTY commands – the inputs made in the Linux terminal.
In addition to this, the malware can infect running processes on the machine, ultimately allowing the hackers to take control of the system required to monitor and steal information, while also maintaining a backdoor to the compromised systems.
Once installed, Orbit sets up a remote connection to the machine and hooks functions in the Linux Pluggable Authentication Module. By doing this, the malware can steal information from SSH (Secure Shell Protocol) connections providing remote access to the attackers while also hiding network activity from the victim.
Orbit is also designed to be highly persistent, making it hard to remove from an infected machine while running. It does this by adding instructions that the malware should be loaded before any other processes.
The malware is also set up to evade detection by preventing information which could reveal the existence of Orbit from being detected by manipulating the outputs to avoid detailing malicious activity.
"Unlike other threats, this malware steals information from different commands and utilities and stores them in specific files on the machine," said Nicole Fishbein, security researcher at Intezer.
"Threats that target Linux continue to evolve while successfully staying under the radar of security tools, now Orbit is one more example of how evasive and persistent new malware can be," she added.
Cloud services and servers are mistakenly misconfigured, providing unauthorised intruders with access to systems – businesses should ensure that their cloud setup is properly managed to avoid weak points like this which could allow attackers into networks.
hos is this malware acquired?
Good question. The article is rather light on details.
i just did a quick search, but the articles are all the same practically- no mention of how it’s acquired- just that ‘once it’s installed’ - but does it install automatically somehow? or does user have to install it? articles don’t mention how
Microsoft Warns of '8220 Group' Targeting Linux Servers
... [T]he names of the group come from the port number 8220 used by the miner to communicate with the C2 servers....
https://www.cysecurity.news/2022/07/microsoft-warns-of-8220-group-targeting.html
How is this malware acquired?
Step 1: Stand up a C2 server.
Step 2: Doesn't matter unless you've stood up a C2 (command & control) server.
Maybe we should go back to filing cabinets.
https://threatpost.com/sneaky-malware-backdoors-linux/180158/
Glad I don’t run linux, sad my router does. LOL. Just being as stupid as those that attack windows when they have a security issue.
https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/
From the link:
ConclusionThreats that target Linux continue to evolve while successfully staying under the radar of security tools, now OrBit is one more example of how evasive and persistent new malware can be.
so i would have to run a server in order to get it? (I’m not real up on this stuff)
It comes via a “dropper” Bob. Same as with MS Trojans. The user has to click something. This is why I use NoScript for websurfing. It reduces the chance of loading malicious scripts and droppers from websites, the other methods are already known as safe practice to prevent it.
“A dropper is a small helper program that facilitates the delivery and installation of malware. Spammers and other bad actors use droppers to circumvent the signatures that anti-virus programs use to block or quarantine malicious code. It’s much easier to change the dropper, should its signature become recognized, than it would be to rewrite the malicious codebase.
“Droppers, like many of their larger Trojan horse counterparts, can be persistent or non-persistent. Non-persistent droppers install malware and then automatically remove themselves. Persistent droppers copy themselves to a hidden file and stay there until they complete the task they were created for.
Droppers can be spread by people who:
Open an infected e-mail attachment.
Pick up a drive-by download on an infected website.
Click on a malicious link in an email or on a website.
Using an infected flash drive.
Sometimes droppers are bundled with free utility programs (such as ad blockers) to avoid detection by antivirus software. When the free program executes, the dropper will first download and install malware before it unpacks and installs the legitimate utility.”
https://www.techtarget.com/whatis/definition/dropper
Thanks- i never c.ick stuff that pops up when browsing, but accidents could happen I suppose. R,someone else using the computer could click unaware.
[[Pick up a drive-by download on an infected website.]]
This is the one that worries me. A few years ago windows using explorer jnternet, I woild constantly go to what should have been safe sites, and get auto atical.y redirected, or have some file start downloading automatically. I had to run a program called “Rollback Rx” which would do a complete system restore (not partial like windows system restore utulity), and it would do,it when booting up, not from desktop, so it would activate before viruses could stop it. Whene ver I hit a site that redirected me or saw soe thing down,oading, I stopped immediately and did a rollback.
It was happening a fee times a month for awhile there, then things seemed to calm down a bit, then I switched to Firefox, and don’t get it anymore, but a,so,I use Linux, so thatnis added level of protection if it hits a site that downloads an .exe
I think that is one of the advantages of Linux. If you are cautious it is hard to do this. Unlike MS you are always by default logged in as a guest. Nothing can access the system files without a notice, warning, and password.
So just say no if you have any doubt at all. Do some homework and go find a more trusted source.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.