Threat actors have used a new Linux malware called OrBit to steal information from Linux systems elusively. Moreover, the new malware is utilised to infect all operating processes on the compromised devices.
The researchers first spotted the malware in a recent campaign. It hijacks shared archives to intercept function calls by creating changes to the LD_PRELOAD environment variable on systems.
Additionally, the primary objective of the backdoor is to exfiltrate information by hooking the read and write features on the Linux operating system. This method helps the threat operators in harvesting data reported by the initiated processes on the machine, such as bash and sh commands.
The technique can also hook several functions to bypass security detection, maintain persistence by infecting new processes, mask network activity, and manipulate process behaviour. Furthermore, OrBit can be launched as a changing implant if duplicated inside the shim-memory.
OrBit malware uses two distinct strategies in establishing persistence on the targeted device.
Researchers indicated that OrBit could obtain persistence using two different methods to obstruct any attempt at its removal. The first strategy is to include the path to the malware within the /etc/ld[.]so[.]preload configuration file. This technique guides the loader to load the backdoor before all new processes.
For the second method, the backdoor will try to copy the binary of the loader so it can patch it. The strategy is simply searching the binary for the string coded as /etc/ld[.]so[.]preload. If the loader finds the code, it replaces the series with a path to a file inside the malware folder. The file’s content has the path to the malware archive to behave as an ld[.]so[.]preload configuration file.
These strategies imply that when a patch loader operates, it will use the file inside the malware folder instead of under /etc. As of now, OrBit is the fourth Linux malware that emerged in March.
OrBit can gain persistence and bypass the detection of several anti-malware solutions. Therefore, the malware should be considered by users to be a severe threat to the Linux operating systems. Experts advise everyone to acquire a threat intelligence provider to be updated with the latest emerging threats.
