An investigation into a compromise of infrastructure hosted by Amazon Web Services (AWS) has uncovered a new GNU/Linux rootkit called LinkPro, according to Synacktiv findings.
“This backdoor has functionality that relies on two eBPF installations. [extended Berkeley Packet Filter] “The module is intended, on the one hand, to hide itself, and on the other hand, to activate it remotely upon receiving a ‘magic packet’,” said security researcher Theo Letaileur.
According to the French cybersecurity firm, the infection involved attackers exploiting an exposed Jenkins server vulnerable to CVE-2024-23897 as a starting point, and then deploying a malicious Docker Hub image named “kvlnt/vv” (now removed) to multiple Kubernetes clusters.
The Docker image consists of the Kali Linux base and a folder called “app” that contains three files.
start.sh, a shell script that starts the SSH service and runs the remaining two files link, an open source program called vnt that acts as a VPN server and provides proxy functionality by connecting to vnt.wherewego[.]top:29872 allows an attacker to connect to a compromised server from anywhere and use it as a proxy to reach other server apps. A Rust-based downloader called vGet receives an encrypted VShell payload from an S3 bucket and communicates with its own command and control (C2) server (56.155.98).[.]37) Via WebSocket connection
Two other malware strains were also delivered to the Kubernetes nodes: a dropper that embeds another vShell backdoor, and LinkPro, a rootkit written in Golang. Depending on its configuration, stealth malware can operate in passive (aka reverse) or active (aka forward) mode, listening for commands from the C2 server or initiating a direct connection with the server only if it receives specific TCP packets.
Forward mode supports five different communication protocols, including HTTP, WebSocket, UDP, TCP, and DNS, while reverse mode uses only the HTTP protocol. The overall order of events unfolds as follows.
Install the “Hide” eBPF module. This includes Tracepoint and Kretprobe type eBPF programs that hide processes and network activity. If the “Hide” module installation fails or is disabled, install the shared library “libld.so” to /etc/ld.so.preload. If you want to use reverse mode, install the “Knock” eBPF module, which contains two eBPF programs for the eXpress data path. (XDP) and traffic control (TC) to ensure that the C2 communication channel is only started upon receipt of a magic packet Achieve persistence by configuring a systemd service Run C2 commands On interruptions (SIGHUP, SIGINT, and SIGTERM signals), uninstall the eBPF module, remove the modified /etc/libld.so, and revert to the original version
To accomplish this, LinkPro modifies the “/etc/ld.so.preload” configuration file to specify the path to the libld.so shared library embedded within it, with the main purpose of hiding various artifacts that could reveal the presence of a backdoor.
“Thanks to the presence of the /etc/libld.so path in /etc/ld.so.preload, the libld.so shared library installed by LinkPro will be loaded by any program that requires /lib/ld-linux.so14,” Letailleur explained. “This includes all programs that use shared libraries such as glibc.”
“When libld.so is loaded when a program (such as /usr/bin/ls) is run, it can hook into some libc functions (before glibc) to modify the results and potentially reveal the existence of LinkPro.”
According to Synacktiv, a magic packet is a TCP packet with a window size value of 54321. When this packet is detected, the Knock module stores the packet’s source IP address and associated 1-hour expiration time as its values. The program then monitors for additional TCP packets whose source IP address matches an already stored IP address.
In other words, LinkPro’s core functionality is to wait for a magic packet to be sent, after which an attacker can send commands to a port of their choice within an hour. The Knock module is also designed to modify the header of incoming TCP packets to replace the original destination port with LinkPro’s listening port (2333), and to modify the outgoing packets to replace the source port (2233) with the original port.
“The purpose of this operation is to allow operators to activate LinkPro command reception via any port allowed by the front-end firewall,” Synacktiv said. “This also makes the correlation between front-end firewall logs and the network activity of a compromised host more complex.”
Commands supported by LinkPro include running /bin/bash in a pseudo terminal, running shell commands, enumerating files and directories, performing file operations, downloading files, and setting up SOCKS5 proxy tunnels. It is currently unknown who is behind the attack, but the attackers are suspected to have financial motivations.
“For kernel-level concealment, the rootkit uses eBPF programs of the tracepoint and kretprobe types to intercept getdents (hiding files) and sys_bpf (hiding proprietary BPF programs) system calls. In particular, this technique requires a specific kernel configuration (CONFIG_BPF_KPROBE_OVERRIDE),” the company said.
“If the latter is not present, LinkPro falls back to an alternative method by loading a malicious library via the /etc/ld.so.preload file, which reliably hides its activity in userspace.”
Source link
