New stealthy OrBit malware steals data from Linux devices

Summary:

A newly discovered Linux malware is being used to stealthily steal information from backdoored Linux systems and infect all running processes on the machine. Dubbed OrBit by Intezer Labs security researchers who first spotted it, this malware hijacks shared libraries to intercept function calls by modifying the LD_PRELOAD environment variable on compromised devices. While it can gain persistence using two different methods to block removal attempts, OrBit can also be deployed as a volatile implant when copied in shim-memory. It can also hook various functions to evade detection, control process behavior, maintain persistence by infecting new processes, and hide network activity that would reveal its presence. For instance, once it injects into a running process, OrBit can manipulate its output to hide any traces of its existence by filtering out what gets logged. "The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands," Intezer Labs security researcher Nicole Fishbein explained. "Once the malware is installed, it will infect all of the running processes, including new processes, that are running on the machine." Although OrBit's dropper and payload components were completely undetected by antivirus engines when the malware was first spotted, some anti-malware vendors have since updated their products to warn customers of its presence.

Additional Discussion: