Created: 2022-07-08
Tags: #fleeting
It temporarily stores output of executed command commands ("tmp/.orbit")
"Can be installed with persistence capabilities or as a volatile implant"
Securit researcher Nicole Fishbein said:
Has advanced evasion techniques and gains persistence on machines
OrBit is the fourth Linux malware to have come to light in a short span of three months after BPFDoor, Symbiote, and Syslogk.
Designed a lot like Symbiote
But unlike the latter which leverages the LD_PRELOAD environment variable to load the shared object, OrBit employs two different methods.
The first way is by adding the shared object to the configuration file that is used by the loader. Second way is by patching the binary of the loader itself so it will load the malicious shared object.
Questions for above line
#myquestion What is shared object here?
#myquestion Also, what does loader mean?
The attack chain commences with an ELF dropper file that's responsible for extracting the payload ("libdl.so") and adding it to the shared libaries that are being loaded by the dynamic linker.
The rogue shared library is engineered to hook functions from three libraries — libc, libcap, and Pluggable Authentication Module (PAM)
OrBit relies on a barrage of methods that allows it to function without alerting its presence and establish persistence in a manner that makes it difficult to remove from the infected machines.
Once engaged, the backdoor's
ultimate goal is steal information by hooking the read and write functions to capture data that's being written by the executed processes on the machine, including bash and sh commands, the results of which are stored in specific files.