Sign In

Communications of the ACM

ACM TechNews

Linux Malware Has a Sneaky Way of Staying Hidden

View as: Print Mobile App Share:

Rekoobe malware has been used by the group APT31 or what Microsoft calls Zirconium, a China state-sponsored threat actor.

Credit: Getty

Researchers at the software firm Avast have discovered the Syslogk Linux rootkit, which delivers a backdoor trojan, called Rekoobe, that is kept hidden on the targeted machine until triggered when a remote attacker transmits "magic packets."

Syslogk is mainly based on the Chinese open-source kernel rootkit for Linux, known as Adore-Ng, but adds new functionalities to make it harder to detect the user-mode application and the kernel rootkit.

The researchers believe the Chinese state-sponsored threat actor APT31, called Zirconium by Microsoft, developed Rekoobe and Syslogk to operate hand-in-hand.

The researchers said, "Instead of continuously running the payload, it is remotely started or stopped on demand by sending specially crafted network traffic packets."

They added, "In this implementation, an attacker can trigger actions without having a listening port in the infected machine such that the commands are, in some way, 'magically' executed in the system."

From ZDNet
View Full Article


Abstracts Copyright © 2022 SmithBucklin, Washington, DC, USA


No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account