A new Linux rootkit using open source code publicly available on GitHub has been discovered in the wild by security researchers at Avast. Rootkits are a type of malware that can intercept communications between a user and a computer, allowing the malware to hide the presence of file, process, and network activity. They are also notoriously hard to code due to the complexity of the underlying operating system and a tendency to crash the target computer if done incorrectly.
Unlike the Symbiote rootkit, which uses LD_PRELOAD and Shared Objects, Syslogk instead deploys a kernel module inserted directly into the running kernel via the Linux ‘insmod’ command. This offers an immediate method of intercepting system calls without restarting the host or its services.
During the analysis of Syslogk, it was discovered to be used in tandem with Rekoobe, which is a family of malware that acts as a trojan on Linux systems. Rekoobe provides the threat actor with the ability to masquerade as a legitimate network service, in this case SMTP, and appear legitimate during surface level analysis. However, when a ‘magic packet’ is received by the SMTP server, a shell can be spawned that provides access to the system to the threat actor.