New stealthy OrBit malware steals data from Linux devices

A newly discovered Linux malware is being used to stealthily steal information from backdoored Linux systems and infect all running processes on the machine.

Dubbed OrBit by Intezer Labs security researchers who first spotted it, this malware hijacks shared libraries to intercept function calls by modifying the LD_PRELOAD environment variable on compromised devices.

While it can gain persistence using two different methods to block removal attempts, OrBit can also be deployed as a volatile implant when copied in shim-memory.

It can also hook various functions to evade detection, control process behavior, maintain persistence by infecting new processes, and hide network activity that would reveal its presence.

For instance, once it injects into a running process, OrBit can manipulate its output to hide any traces of its existence by filtering out what gets logged.

"The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands," Intezer Labs security researcher Nicole Fishbein explained.

"Once the malware is installed it will infect all of the running processes, including new processes, that are running on the machine."

Although OrBit's dropper and payload components were completely undetected by antivirus engines when the malware was first spotted, some anti-malware vendors have since updated their products to warn customers of its presence.

Linux malware surge?

OrBit is not the first highly-evasive Linux malware that has surfaced recently, capable of using similar approaches to fully compromise and backdoor devices.

Symbiote also uses the LD_PRELOAD directive to load itself into running processes, acting as a system-wide parasite and leaving no signs of infection.

BPFDoor, another recently spotted malware targeting Linux systems, camouflages itself by using the names of common Linux daemons, which helped it remain undetected for more than five years.

Both these strains use BPF (Berkeley Packet Filter) hooking functionality to monitor and manipulate network traffic which helps hide their communication channels from security tools.

A third Linux malware, a rootkit under heavy development dubbed Syslogk and unveiled by Avast researchers last month, can force-load its own modules into the Linux kernel, backdoor compromised machines, and hide directories and network traffic to evade detection.

Even though not the first or the most original malware strain targeting Linux lately, OrBit still comes with its share of capabilities that set it apart from other threats.

"This malware steals information from different commands and utilities and stores them in specific files on the machine. Besides, there is an extensive usage of files for storing data, something that was not seen before," Fishbein added.

"What makes this malware especially interesting is the almost hermetic hooking of libraries on the victim machine, that allows the malware to gain persistence and evade detection while stealing information and setting SSH backdoor."