According to the research conducted by the cybersecurity company Intezer, the name of the malicious software was derived from one of the filenames that was used to temporarily store the output of commands that were run ("/tmp/.orbit").
According to Nicole Fishbein, a researcher in the field of information security, "It can be installed either with persistence capabilities or as a volatile implant." It provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands. The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions.
After BPFDoor, Symbiote, and Syslogk, OrBit is the fourth Linux malware to be discovered in the span of just three months since the first three were discovered.
The malicious software operates very similarly to Symbiote in that it is intended to infect every process that is currently active on the computers that have been compromised. OrBit, on the other hand, utilizes two distinct approaches, in contrast to the aforementioned method, which loads the shared object by relying on the LD PRELOAD environment variable.
According to Fishbein's explanation, the first method is to incorporate the shared object into the configuration file that the loader employs. "The second method is by patching the binary of the loader itself so that it will load the malicious shared object," the author writes.
An ELF dropper file is the first step in the attack chain. This file is responsible for extracting the payload ("libdl.so") and adding it to the shared libraries that are being loaded by the dynamic linker. The attack chain begins with an ELF dropper file.
The malicious shared library is designed to hook functions from three different libraries: libc, libcap, and Pluggable Authentication Module (PAM). This causes both new and existing processes to use the modified functions, which gives it the ability to steal credentials, conceal network activity, and establish remote access to the host over SSH while remaining undetected.
In addition, OrBit is dependent on a multitude of techniques that enable it to perform its functions without drawing attention to its presence and to establish persistence in such a way that it is difficult to eradicate from computers that have been infected by it.
When activated, the backdoor's ultimate purpose is to steal information by hooking the read and write functions to capture data that is being written by the processes being carried out on the machine, including bash and sh commands, the results of which are stored in particular files. This is accomplished by hooking the read and write functions to capture data that is being written by the processes.
According to Fishbein, "what makes this malware especially interesting is the almost hermetic hooking of libraries on the victim machine." This allows the malware to gain persistence and evade detection while stealing information and setting SSH backdoors. "What makes this malware especially interesting is the almost hermetic hooking of libraries on the victim machine."
"Threats that target Linux continue to evolve while successfully staying under the radar of security tools," and "now OrBit is one more example of how evasive and persistent new malware can be."
Post a Comment
Your suggestions and comments are welcome