A new Linux rootkit using open source code publicly available on GitHub has been discovered in the wild by security researchers at Avast. Rootkits are a type of malware that can intercept communications between a user and a computer, allowing the malware to hide the presence of file, process, and network activity. They are also notoriously hard to code due to the complexity of the underlying operating system and a tendency to crash the target computer if done incorrectly.
Unlike the Symbiote rootkit, which uses LD_PRELOAD and Shared Objects, Syslogk instead deploys a kernel module inserted directly into the running kernel via the Linux ‘insmod’ command. This offers an immediate method of intercepting system calls without restarting the host or its services.
During the analysis of Syslogk, it was discovered to be used in tandem with Rekoobe, which is a family of malware that acts as a trojan on Linux systems. Rekoobe provides the threat actor with the ability to masquerade as a legitimate network service, in this case SMTP, and appear legitimate during surface level analysis. However, when a ‘magic packet’ is received by the SMTP server, a shell can be spawned that provides access to the system to the threat actor.
Analyst Notes
Rootkits present a substantial threat to all organizations. Detection can be difficult as victim hosts can be deceitful in the information that they provide analysts. Endpoint Detection and Response (EDR) tools can be lied to by an infected system, providing a false sense of security. In these cases, network-based forensics can often provide clarity. For example, if an organization’s IDS/IPS, switches, or routers are seeing suspicious traffic to and from a host, but host-based forensics do not show that same traffic, it could indicate the presence of a rootkit on that host. In addition, system stability can also be an indicator of a rootkit infection. Confirmation of a rootkit infection may require an in-depth analysis of a host’s mapping of system calls in memory compared against their mapping at boot, which can be found in ‘/boot/System.map’.
Avast analysts discovered that the Syslogk rootkit specifically can be disabled by performing this Linux command:
• echo 1>/proc/syslogk
Subsequently removing the module from memory with:
• rmmod syslogk
They also provided several useful tools for detecting and analyzing Syslogk that can be found on their GitHub:
https://github.com/avast/ioc/tree/master/SyslogkRootkit
Linux Threat Hunting: ‘Syslogk’ a kernel rootkit found under development in the wild
