Stealthy OrBit Malware Steals Data From Linux Devices

A newly detected Linux malware is being used to covertly steal information from backdoored Linux systems and infect all running processes on the network.

Intezer Labs security researchers, who first spotted the malware, named it OrBit. OrBit hijacks shared libraries to seize function calls by modifying the LD_PRELOAD environment variable on compromised devices.

While it can achieve persistence via two different methods to stop removal attempts, OrBit may also be deployed as a volatile implant when copied in shim-memory.

It can also hook some functions to evade detection, manipulate process behavior, maintain persistence by infecting new processes, and conceal network activity that would expose its presence.

For example, the moment it injects into a running process, OrBit can control its output to conceal any traces of its existence by filtering out what is logged.

“The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access the capabilities over SSH (Secure Shell), harvests credentials, and logs TTY (Teletype) commands. Once the malware is installed, it will infect all of the running processes, including new processes, that are running on the machine,” explained Intezer Labs security researcher Nicole Fishbein.

Incidentally, OrBit is not the first highly-evasive Linux malware to come out recently that is capable of using identical methods to totally compromise and backdoor devices.

Symbiote also utilizes the LD_PRELOAD directive to load itself into running processes, rendering itself as a system-wide parasite without any traces of infection.

BPFDoor, another recently detected malware targeting Linux systems, disguises itself by using the names of common Linux daemons, which helps it in remaining undetected for five years or even more.

Both these strains use BPF (Berkeley Packet Filter) hooking functionality to monitor and control network traffic, thus helping hide their communication channels from security tools.

For more information, read the original story in Bleeping Computer.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web