According to recently released research, a new and previously undetected Linux threat dubbed OrBit has been discovered that infects systems to harvest credentials and log commands. The malware gets its name from a file it creates, /tmp/.orbit, to store the captured commands run on the system.
The attack chain starts with an initial ELF dropper that installs the payload and prepares the environment for the malware execution. The malware achieves persistence and execution using one of two ways: the shared object is added to the configuration file used by the loader or the binary of the loader itself is patched so it will load the malicious shared object. The malware is designed to infect all running processes on the system, including any new processes spawned. Upon execution, the shared object hooks functions in three libraries: libc, libcap, and Pluggable Authentication Module (PAM). These functions allow the malware to obtain remote access to the system via SSH, hide its network activity, and harvest credentials and command information. All this information is written to locally created files for future exfiltration via the SSH access obtained by the threat actors.
This new malware differs from other recent Linux-based malware mainly due to its abnormal process of hooking functions and its extensive use of storing captured data in files on the system.