In this article we will provide a deep technical analysis of a new and fully undetected Linux threat named OrBit.
General Information: Linux is a family of operating systems that typically run on the Unix-like set of computers, including the GNU and Linux operating systems. It is often described as a kernel or all-in-one package (and written in C). The design and features with Linux varies depending on who’s telling the story. It can be seen as both an engineering miracle and a hacker’s dream come true. Linux was originally created by Linus Torvalds in 1991 as a free alternative to proprietary Unix systems. Besides operating systems, Linux is used for a variety of other software applications such as word processors, spreadsheets, and games. The term “Linux” is sometimes used as a synonym for GNU. Linux helps to write software that answers the needs of users in a fast manner. The idea behind Linux is to create a sort of operating system that can be easily modified by any user. This makes it better than the proprietary operating systems because anyone can write programs and distribute them free of charge or sell them through their own company.
Technical Analysis: The malware implements advanced evasions techniques and gains persistence on machines by hooking key functions. It provides the threat actors with the ability to remotely access the compromised system via SSH, harvests user credentials, and logs Tty commands. Once the malware has been installed, it will infect all of your running processes, including any newly started ones. Unlike other threats that use the environment variable LD_ PRELOAD to modify the system, this malware uses 2 separate methods to load the malicious library into memory. The first way is to add the shared object to the config file that is used by loaders. The second way is to patch the binary of the loader so it loads the malicious shared object.
The dropper installs a payload and prepares the environment so that the malware can run. Malware can be installed as a persistent module or without persistence capabilities. It receives command line args and based on them it decides where to extract the payload. You can change the installation path by using the command line arguments. You can update or completely uninstall the content of the payload by changing the content of the payload file. From now on, we will just refer to the folder where the malware has been placed as MALWARE_FOLDER.
To install the payload into the shared libraries that are loaded by the dynamic link loader, the dropper uses a function called patch_ld. It first checks if the malicious payload has been loaded by searching for the file path used by the malware using the symbolic link of the shared object. If it is determined that the function can be swapped with the other location. If you don’t pass any arguments, it looks for /etc/ld.so.[something] and replaces it with a symbolic ld.so link to the location of the malicious library. Finally, it will append /tmp/libc.so.6 to the end of the temporary file to ensure that the malicious library will load before libc.so.6.
The malware will create 4 additional files that will be used later :
/lib/libntpVnQE6mk/.logpam /lib/libntpVnQE6mk/sshpass.txt /lib/libntpVnQE6mk/sshpass2.txt /lib/libntpVnQE6mk/.ports
And the dropper writes the following 2 files, to grant the threat actors remote access.
The payload is a.so file that can be placed either on persistent storage, for example /lib/libntpvnQE6mk/ or in shim memory under /dev/shm/lxd/. If it’ s placed in the first path, the malware will be persistent; if not, it will not survive restart.
The shared object hooks into three libraries: libc, Libcap, and PAM. Malware that uses these functions will essentially use them, and new malware will hook into the malicious library as well. This allows the malware to infect the entire system and steal credentials, evade detection, and gain persistence. It also provides remote access for the attacker.
When implementing the hook of libc functions, it first calls sys_call with the corresponding system call numbers as shown in the screenshot below. Strings are encrypted using simple XOR encryption with a hardcoded key (a string).
OrBit’s evasion techniques
The Malware hooks multiple functions to prevent these functions from outputting information that could reveal its presence in the running processes or files being used by the malware itself. The malware uses a fixed GID value to identify the files and services that are related to the infection and based on that it manipulates the behavior of the hooked function. For example, readdir() is hooked to check the GIDs of the calling processes, if they don’t match the hardcoded values, all of the directories whose GIDs are equal to the hardcoded values will be excluded from the function’s output.
Malware hooks functions that open files, including fopen, open, open64, and openat. It then checks if the file that has been opened is part of the proc filesystem. One of the paths being checked is /proc/. tcp because it can reveal the network traffic generated by a backdoor. The way in which this malware handles the output of its file is similar to other malware files that are being opened. It resembles the implementation in Symbiotes. The hooked function reads each line of the content of the file, one line at a tme, and checks if the line matches any of the lines in MALWARE_FOLDERS/.ports. If so, it writes the IP address and port number of the matching line into MALWARE_FINDING_FILE. Malware creates a temporary file and writes only the parts of the code that don’t expose the malware. Once the file has been processed, the malware returns the temporary file descriptor back to the caller.
When the malware was first discovered, the dropper and payload components of Orbit were completely undetected by anti-virus engines. However, some anti-malwares have since updated their products to detect the malware.
This malware uses Xor encrypted strings and steals passwords, similar to other Linux backdoors. Unlike other threats, this malware uses multiple commands and utilities to steal information and store it in specific files on the computer. Besides, there is a wide usage of files for storing large amounts of data. The interesting thing about this malware is its almost hermetic hooking into libraries on the victim machine. It allows the malware to persist and evade detection while stealing data and setting an SSH backdoor.