One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 5156224 |
| Date de publication | 2022-06-14 19:12:22 (vue: 2022-06-15 03:06:44) |
| Titre | Syslogk: Linux Rootkit with Hidden Backdoor Payload |
| Texte | FortiGuard Labs is aware of a report that a new rootkit for Linux that appears to be still in development was discovered. Namaed "Syslogk", the rootkit is based on Adore-Ng, an old open-source kernel rootkit for Linux. Syslogk is hides directories containing malicious files and does not load the hidden Rekoobe backdoor malware until specifically-crafted magic packets are received.Why is this Significant?This is significant because "Syslogk" is a Linux rootkit that is in development as such it may be used in real attacks in near future. The rootkit contains a new variant of Rekoobe backdoor that will be launched only upon receiving specifically crafted magic packets from the threat actor.What is Syslogk?Syslogk is a Linux rootkit that is reportedly based on an old open-source Linux kernel rootkit called "Adore-Ng".Syslogk rootkit is installed as kernel modules in the affected system and intercepts legitimate Linux commands in order to hide its files, folders, or processes. It can hide directories containing the malicious files dropped on the compromised machine, hides processes and network traffic, and remotely starts or stop payloads on demand. The rootkit is also capable of inspecting all TCP traffic. The rootkit also loads hidden Rekoobe backdoor only when it receives specifically-crafted magic packets from the threat actor.What is Rekoobe?Rekoobe is a Linux backdoor that is reportedly based on TinySHell, an open-source Unix backdoor. Rekoobe refers to its Command-and Control (C2) server and performs malicious activities based on remote commands it receives.What is the Status of Coverage?FortiGuard Labs provides the following coverage against Syslogk rootkit:Linux/Rootkit_Agent.BY!trFortiGuard Labs provides the following coverage against Rekoobe backdoor:Linux/Rekoobe.BLinux/Rekoobe.B!trLinux/Rekoobe.B!tr.bdrLinux/Rekoobe.D!trLinux/Rekoobe.F!trLinux/Rekoobe.N!trLinux/Agnt.A!trLinux/Agent.B!trLinux/Agent.BX!tr.bdrLinux/Agent.DL!trLinux/Agent.JO!trLinux/Agent.LF!trW32/Rekoobe.F!trW32/Multi.MIBSUN!tr.bdrELF/Rosta.487B.fam!tr.bdrAdware/AgentAdware/RekoobePossibleThreat |
| Envoyé | Oui |
| Condensat | 487b activities actor adore affected against agent all also appears are attacks aware backdoor backdoor:linux/rekoobe based bdradware/agentadware/rekoobepossiblethreat bdrelf/rosta bdrlinux/agent bdrlinux/rekoobe because blinux/rekoobe called can capable command commands compromised containing contains control coverage crafted demand development directories discovered does dropped fam files folders following fortiguard from future hidden hide hides inspecting installed intercepts its kernel labs launched legitimate linux load loads machine magic malicious malware may mibsun modules namaed near network new not old only open order packets payload payloads performs processes provides real received receives receiving refers rekoobe remote remotely report reportedly rootkit rootkit:linux/rootkit server significant source specifically starts status stop such syslogk syslogk: system tcp threat tinyshell traffic trfortiguard trlinux/agent trlinux/agnt trlinux/rekoobe trw32/multi trw32/rekoobe unix until upon used variant what when why will |
| Tags | Malware Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.