Syslogk, a Linux rootkit malware is being used by the attackers via ‘magic packets’ to awaken a dormant backdoor on the device.
If Linux rootkit malware is installed on the device, it intercepts with legitimate Linux commands to prevent some information such as files or folders to be displayed. Rootkits are malware installed as kernel modules in the operating system. Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. A Magic Packet works as a standard wake-up frame that targets a specific network interface. It enables remote access to a computer even in the power-saving mode.
Syslogk is in the fast developmental stage and based on Adore-ng which is an old open-source rootkit. It can also forcefully load itself in the Linux kernel modules to load a backdoor named Rekoobe.
Syslogk has successfully removed itself from being detected manually by the system. Only an exposed interface can show its file. The backdoor Rekoobe will also remain dormant until the rootkit gain access to the Magic Packets from the threat actor.
Upon detecting a proper Magic Packet, Syslogs will either start or stop the backdoor depending on the instruction it receives. This will make the manual inspection impossible.
Avast said, “We observed that the Syslogk rootkit (and Rekoobe payload) perfectly align when used covertly in conjunction with a fake SMTP server.”
The backdoor remains completely hidden in memory or on disk until it receives Magic Packet from the threat actor. This is the reason Linux rootkit malware can be a hazardous threat to cybersecurity.
