Syslogk, a new Linux rootkit malware that uses specially designed “magic packets” to awaken a dormant backdoor on the system, is being utilised in assaults to mask dangerous activities.

The malware is now in active development, and its creators appear to be using Adore-Ng, an outdated open-source rootkit, as a foundation.

Syslogk has the ability to force-load its modules into the Linux kernel (versions 3.x are supported), hide folders and network traffic, and eventually load a backdoor known as ‘Rekoobe.’

Using magic packets to load backdoor

Malware that is installed as kernel modules in the Linux operating system is known as a rootkit. They intercept valid Linux commands to filter out information they don’t want displayed, such as the presence of files, folders, or processes, once they’re installed.

To avoid human scrutiny, Syslogk will remove its entry from the list of installed modules when it is initially loaded as a kernel module. An exposed interface in the /proc file system is the only indication of its existence.

Exposed Syslogk interface (Avast)
Exposed Syslogk interface (Avast)

The rootkit also has the ability to hide directories containing the malicious files it drops on the host, hide processes, hide network activity, inspect all TCP packets, and start and stop payloads remotely. A Linux backdoor dubbed Rekoobe is one of the hidden payloads uncovered by Avast. This backdoor will remain dormant on a compromised machine until the threat actors send it a “magic packet.

Syslogk will wait for specially crafted TCP packets that have particular “Reserved” field values, “Source Port” numbering, “Destination Port” and “Source Address” matches, and a hardcoded key, similar to Wake on LAN magic packets, which are used to wake devices that are in sleep mode.

When the right magic packet is found, Syslogks will activate or stop the backdoor as directed by remote threat actors, greatly reducing the backdoor’s chances of being discovered. “When utilised surreptitiously in conjunction with a phoney SMTP server, the Syslogk rootkit (and Rekoobe payload) precisely align.”

Consider how covert this may be: a backdoor that doesn’t activate until the system receives some mysterious packets. It looks to be a genuine service hidden in memory, hidden on disc, remotely’magically’ executed, and hidden on the network when queried. It seems to be a real SMTP server even if it is discovered during a network port search.” – Beware of Avast!

Rekoobe is loaded into user-mode space, where detections are less complex and rare than for Syslogk in kernel mode, therefore being more careful with its loading is critical for its success.

The goal of Rekoobe, which is based on TinySHell, another open-source and widely known software, is to provide the attacker with a remote shell on the compromised machine.

Spawning a root shell on the host (Avast)
Spawning a root shell on the host (Avast)

Because Rekoobe is used to carry out orders, the consequences are severe, including information disclosure, data exfiltration, file manipulation, account takeover, and more.

Should you be worried?

The Syslogk rootkit is another another piece of highly evasive malware for Linux systems, joining the likes of Symbiote and BPFDoor, which both exploit the BPF system to monitor and dynamically change network traffic. Linux systems aren’t widely used by everyday people, but they power some of the most expensive business networks, therefore threat actors are taking the time to create specific malware for the architecture.

In the case of Syslogk, the project is still in its early stages of development, so it’s unclear whether it’ll become a widespread threat. However, given its secrecy, it will almost certainly continue to release new and improved versions. The most worrisome development would be if Syslogk released a version that supported more recent Linux kernel versions, vastly expanding the target range at once.