Elain Brown Tech 07.08.2022 03:Jul AM EDT

New Malware Called OrBit Has Been Infecting, Stealing Data From Linux Devices

Linux systems are now being targeted with OrBit Malware devices.

On infected devices, the OrBit malware is said to modify the LD_PRELOAD environment variable in order to take control of shared libraries and then intercept function calls.

Due to the filenames it uses to temporarily store the results of instructions it has executed, the malware is known as OrBit by Intezer Labs.

After BPFDoor, Symbiote, and Syslogk, OrBit is the fourth Linux virus to be discovered in the span of just three months after the first three were discovered.

OrBit Malware Attacks on Linux

OrBit is a recently found piece of malware for devices using Linux operating systems that is currently being utilized to covertly steal information.

This malware is said to have backdoors installed, and it infects all processes that are currently active on the machine.

When the malicious software is installed, it will immediately begin to infect any and all processes that are running on the device, including any new processes that are started.

It is possible to install OrBit either as a volatile implant or with persistence capabilities.

According to Intezer, "The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands."

This particular piece of malware loads the dangerous library in one of two distinct ways.

The first method is to include the shared object in the configuration file that the loader employs.

The second method involves modifying the loader's binary file so that it loads the malicious shared object when it is invoked.

The dropper is responsible for installing the payload and preparing the environment for the execution of the malware. Malware can be installed either as a module that is volatile or with features that allow it to persist.

It takes the command-line arguments that are given to it and then extracts the payload to one of the locations, depending on the arguments.

As Intezer reports, "Using the command line arguments, the installation path can be swapped and the content of the payload can be updated or entirely uninstalled."

The Increasing Malware Threat on Linux

Linux is a popular open source operating system used by millions of people, most commonly by developers or software engineers.

Due to its popularity, it does not come as a surprise if malicious actors are drawn to it.

According to BleepingComputer, "OrBit is not the first highly-evasive Linux malware that has surfaced recently, capable of using similar approaches to fully compromise and backdoor devices."

Nowadays, malware that is designed to infect Linux computers has been steadily expanding and becoming more sophisticated.

Before OrBit, there was a Linux-targeting malware called Symbiote. Just like OrBit, Symbiote makes use of the LD PRELOAD directive to load itself into processes that are currently active.

This allows it to behave as a system-wide parasite while concealing any traces of infection. Which makes Symbiote an almost impossible malware to detect in a user's device.

Aside from Symbiote, another recently discovered piece of malware that targets Linux systems is called BPFDoor. This malware disguises itself by using the names of common Linux daemons, which allowed it to go unnoticed for more than five years.

BPFDoor is a backdoor malware that enables malicious actors to access a Linux shell and have full access to a device that has been compromised.

Even if this recent malware is not the first malware strain to attack Linux recently, nor is it the most unique, OrBit nonetheless comes with its fair share of characteristics that impose threats to a compromised device.