Syslogk, a new Linux rootkit, is used by hackers in their latest attacks to obfuscate malicious processes via specially designed packets to trigger a dormant backdoor in the device. The malware is believed to be in its development phase, and its developers seem to base its project on an old open-source rootkit called Adore-Ng.
Additionally, the new rootkit malware can forcefully load its modules into the Linux version 3.0 and beyond to hide directories and network traffics. Subsequently, Syslogk will load a backdoor called Rekoobe.
The Syslogk Linux rootkit is a malicious malware installed as kernel modules in the OS.
Once the rootkit is established, it can intercept authentic Linux commands to filter information that they have do not need to be portrayed, such as the presence of folders, processes, or files. Syslogk will also remove its entry from the list of installed modules to bypass manual inspection. The only trace it will generate is an exposed interface in the “/proc” file system.
Moreover, the additional features in Syslogk enable its operators to hide directories that contain malicious files it drops on the host, network traffic, processes, and analyse all TCP packets. The rootkit can also remotely start or halt payloads.
A security researcher discovered one of many hidden payloads, a Linux backdoor dubbed Rekoobe. The Rekoobe backdoor will be in a coma-like state in the compromised device until a rootkit receives a specially crafted “magic packet” from its operators.
Syslogk will then start or stop the backdoor as instructed by remote threat actors after it receives the corresponding magic packet. Therefore, as long as the packets are not yet deployed, the chance of getting detected is slim to none.
Moreover, Rekoobe is loaded onto the user-mode space where detections are complicated as they are for Syslogk on kernel mode. That is why threat actors are more careful with their loading since it is essential for its success.
Rekoobe is a TinySHell-based rootkit from another open-source software. The primary objective of this rootkit is to provide the hackers with a remote shell on the infected device. This detail shows that Rekoobe is utilised for remote code executions, information disclosures, data exfiltration, file actions, and account takeover.
