Report sheds light on novel Syslogk Linux rootkit malware

Threat actors have been utilizing the novel Linux rootkit malware dubbed "Syslogk" that leverages magic pockets to allow malicious process concealment, according to BleepingComputer. Avast security researchers discovered that Syslogk, which is based on the old open-source rootkit Adore-Ng, does not only force-load modules to Linux kernel versions 3.x, but also obscures network traffic and directories, as well as loads the Rekoobe backdoor. Upon the receipt of a magic packet, including special "Reserved" field values, "Destination Port" and "Source Address" matches, "Source Port" numbering, and a hardcoded key, Syslogk will act on the Rekoobe backdoor, which provides a remote shell for attackers, the report showed. "Consider how stealthy this could be; a backdoor that does not load until some magic packets are sent to the machine. When queried, it appears to be a legitimate service hidden in memory, hidden on disk, remotely magically executed, hidden on the network. Even if it is found during a network port scan, it still seems to be a legitimate SMTP server," said researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.