A newly discovered stealthy piece of Linux malware called Syslogk delivers a backdoor that remains hidden on targeted machine until its controller, from anywhere on the internet, transmits so-called ‘magic packets’.
According to researchers at Avast, the Syslogk Linux rootkit delivers the backdoor trojan known as Rekoobe and uses numerous techniques to keep the backdoor hidden until needed.
Fortunately, the version of Syslogk Avast analyzed only works on older versions of the Linux kernel version, but the malware appears to be under development.
Rekoobe malware has been used by the group APT31 or what Microsoft calls Zirconium, a China state-sponsored threat actor. Rekoobe is based on TinyShell, an open source project for a UNIX backdoor. There are references in the Syslogk rootkit to TinyShell dating back to December 13, 2018.
Meanwhile, Syslogk is based primarily on the Chinese open source kernel rootkit for Linux called Adore-Ng, which as of this year was still under development but currently only supports Linux kernel version 3.x, versus the 5.x series of the kernel currently being developed.
Syslogk adds new functionalities to make the user-mode application and the kernel rootkit harder to detect than Adore-Ng, which can already hide files, its processes and the kernel module.
Avast researchers believe this