This 'evasive' new Linux malware creates a backdoor to steal passwords and more

Cybersecurity researchers detail Orbit malware and the evolving threat of cyber criminals targeting Linux.
Written by Danny Palmer, Senior Writer

The hands of a computer hacker working on a computer keyboard.

Image: Getty Images

A newly uncovered form of Linux malware creates a backdoor into infected machines and servers, allowing cyber criminals to secretly steal sensitive information while also maintaining persistence on the network. 

Detailed by cybersecurity researchers at Intezer, the previously undetected malware has been called Orbit after filenames it used to temporarily store the output of executed commands.

Linux is a popular operating system for servers and cloud infrastructure, which makes it a tempting target for cyber criminals.

SEE: A winning strategy for cybersecurity (ZDNet special report)

Orbit malware provides cyber criminals with remote access to Linux systems, allowing them to steal usernames and passwords and log TTY commands – the inputs made in the Linux terminal.  

In addition to this, the malware can infect running processes on the machine, ultimately allowing the hackers to take control of the system required to monitor and steal information, while also maintaining a backdoor to the compromised systems.

Once installed, Orbit sets up a remote connection to the machine and hooks functions in the Linux Pluggable Authentication Module. By doing this, the malware can steal information from SSH (Secure Shell Protocol) connections providing remote access to the attackers while also hiding network activity from the victim. 

Orbit is also designed to be highly persistent, making it hard to remove from an infected machine while running. It does this by adding instructions that the malware should be loaded before any other processes. 

The malware is also set up to evade detection by preventing information that could reveal the existence of Orbit from being detected by manipulating the outputs to avoid detailing malicious activity. 

"Unlike other threats, this malware steals information from different commands and utilities and stores them in specific files on the machine," said Nicole Fishbein, security researcher at Intezer. 

"Threats that target Linux continue to evolve while successfully staying under the radar of security tools, now Orbit is one more example of how evasive and persistent new malware can be," she added. 

Cloud services and servers are mistakenly misconfigured, providing unauthorised intruders with access to systems – businesses should ensure that their cloud setup is properly managed to avoid weak points like this that could allow attackers into networks. 


Editorial standards