This new Linux malware has a sneaky way of staying hidden

A newly discovered stealthy piece of Linux malware called Syslogk delivers a backdoor that remains hidden on targeted machine until its controller, from anywhere on the internet, transmits so-called ‘magic packets’. 

According to researchers at Avast, the Syslogk Linux rootkit delivers the backdoor trojan known as Rekoobe and uses numerous techniques to keep the backdoor hidden until needed. 

Fortunately, the version of Syslogk Avast analyzed only works on older versions of the Linux kernel version, but the malware appears to be under development. 

Rekoobe malware has been used by the group APT31 or what Microsoft calls Zirconium, a China state-sponsored threat actor. Rekoobe is based on TinyShell, an open source project for a UNIX backdoor. There are references in the Syslogk rootkit to TinyShell dating back to December 13, 2018.

Meanwhile, Syslogk is based primarily on the Chinese open source kernel rootkit for Linux called Adore-Ng, which as of this year was still under development but currently only supports Linux kernel version 3.x, versus the 5.x series of the kernel currently being developed. 

Syslogk adds new functionalities to make the user-mode application and the kernel rootkit harder to detect than Adore-Ng, which can already hide files, its processes and the kernel module. 

Avast researchers believe this group developed Rekoobe and Syslogk specifically for them to run hand-in-hand. 

The Rekoobe sample Avast found was embedded in a fake SMPT mail server. The backdoor is triggered when it receives specially crafted TCP packets or the so-called “magic packets” from the remote attacker. It’s possible for the attacker using Syslogk with magic packets to remotely stop and start the Rekoobe backdoor. 

The firm explains the role of magic packets Syslogk’s ability to remotely start Rekoobe in user space mode. 

“Instead of continuously running the payload, it is remotely started or stopped on demand by sending specially crafted network traffic packets,” it explains. 

“These are known as magic packets because they have a special format and special powers. In this implementation, an attacker can trigger actions without having a listening port in the infected machine such that the commands are, in some way, ‘magically’ executed in the system.”

Despite the limited support for Linux kernel versions, Avast argues the combination of Syslogk and Rebooke on a fake SMTP server is a powerful toolset for an attacker.  

“We observed that the Syslogk rootkit (and Rekoobe payload) perfectly align when used covertly in conjunction with a fake SMTP server. Consider how stealthy this could be; a backdoor that does not load until some magic packets are sent to the machine. When queried, it appears to be a legitimate service hidden in memory, hidden on disk, remotely ‘magically’ executed, hidden on the network. Even if it is found during a network port scan, it still seems to be a legitimate SMTP server.”