Yet another new and previously unknown Linux malware named OrBit has been identified by cybersecurity researchers, continuing the dangerous trend of vulnerabilities being found by threat actors and exploits being developed for the operating system with little chance of potential victims becoming aware of the threat.

How did the name “OrBit” become assigned to this threat? The name of a file that Linux uses to store the output of executed commands temporarily (i.e., "/tmp/.orbit"), was the inspiration.

Said Nicole Fishbein, a researcher from Intezer who has been heavily involved in the analysis, "It can be installed either with persistence capabilities or as a volatile implant. The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands."

As many may recall, three other Linux malware variants were discovered within three months of this announcement; the additional variants include BPFDoor, Symbiote, and Syslogk.

OrBit is similar to Symbiote in its construction, as it is built to infect all running processes on the target machines; however, OrBit uses two methods instead of only the LD_PRELOAD environment variable path to load a shared object.

Fishbein provided this explanation: "The first way is by adding the shared object to the configuration file that is used by the loader. The second way is by patching the binary of the loader itself so it will load the malicious shared object.” Initially, the attackers use an ELF dropper file that is designed to extract the payload ("libdl.so"), which it then adds to all shared libraries being loaded by the associated dynamic linker.

This now-malicious shared library will then hook functions from three libraries, namely libcap, libc, and Pluggable Authentication Module (PAM). In this way, it forces existing and new processes to employ modified functions, enabling OrBit to hide its network traffic, create remote access to the target via SSH, and collect credentials stealthily.

Even more dangerously, OrBit can make use of a large toolkit to avoid detection and become pervasive even if organizations try to remove it.

Fishbein further explained, "What makes this malware especially interesting is the almost hermetic hooking of libraries on the victim machine, that allows the malware to gain persistence and evade detection while stealing information and setting SSH backdoor. Threats that target Linux continue to evolve while successfully staying under the radar of security tools, now OrBit is one more example of how evasive and persistent new malware can be."

The experts at Webcheck Security can assist your organization in identifying weaknesses in your security defenses, both through penetration testing and through analysis by consulting Chief Information Security Officers (CISOs). Contact us today to explore your options!