A recently discovered form of Linux malware creates a backdoor in infected machines and servers, allowing cybercriminals to steal sensitive information discreetly while maintaining their presence on the network.
Detailed by Intezer cybersecurity researchers, the so far undetected malware was called Orbit after the filenames it used to temporarily store the results of executed commands.
Linux is a popular operating system for servers and cloud infrastructure, making it a tempting target for cybercriminals. The Orbit malware provides cybercriminals with remote access to Linux systems, allowing them to steal usernames and passwords and record TTY commands – the entries made in the Linux terminal.
Stealing information from SSH connections
Additionally, the malware can infect the processes running on the machine, which ultimately allows hackers to take control of the system required to monitor and steal information, while maintaining a backdoor to compromised systems.
Once installed, Orbit establishes a remote connection with the machine and hooks the functions of the Linux Pluggable Authentication Module. By doing so, the malware can steal information from Secure Shell Protocol (SSH) connections, providing remote access to attackers while concealing network activity from the victim.
Orbit is also designed to be very persistent, which makes it difficult to remove from a running infected machine. It does this by adding instructions that the malware should be loaded before any other processes.
The malware is also configured to evade detection by preventing information that could reveal the existence of Orbit from being detected by manipulating outputs to avoid detailing malicious activity.
“Unlike other threats, this malware steals information from different commands and utilities and stores it in specific files on the machine,” said Nicole Fishbein, security researcher at Intezer. “Threats that target Linux continue to evolve while managing to stay under the radar of security tools, now Orbit is just one more example of how new malware can be evasive and persistent,” she said. added.
Cloud services and servers are misconfigured by mistake, allowing unauthorized intruders to access systems. Organizations should ensure that their cloud setup is properly managed to avoid weak points like this, which could allow attackers to gain access to networks.
Source: “ZDNet.com”