• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
Cyber Security News

New Syslogk Linux Kernel Rootkit Uses “Magic Packets” to Trigger Remote Backdoor Access

You are here: Home / General Cyber Security News / New Syslogk Linux Kernel Rootkit Uses “Magic Packets” to Trigger Remote Backdoor Access
June 14, 2022

A new Linux kernel rootkit dubbed ‘syslogk’ has been spotted in the wild by Avast cybersecurity researchers.

According to an advisory by David Álvarez and Jan Neduchal, syslogk would be ready to cloak a destructive payload that could then be remotely managed by an adversary using a magic network visitors packet.

Avast discussed that the rootkit, at the moment beneath improvement, is closely primarily based on Adore-Ng (an more mature Linux rootkit) but incorporates new code and functionalities, thus earning the consumer-method software and the kernel rootkit more difficult to detect.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


“After loading it, you will discover that the destructive driver does not show up in the listing of loaded kernel modules when utilizing the lsmod command.”

This is because the rootkit employs a operate of the kernel API to take away the module from the joined list of kernel modules. 

Moreover, Syslogk can also disguise directories that contains malicious information, jointly with destructive processes and payloads.

From a technological standpoint, Avast explained that Syslogk’s destructive payload is not continuously running. 

“The attacker remotely executes it on demand from customers when a specially crafted TCP packet […] is sent to the infected equipment, which inspects the site visitors by setting up a netfilter hook.”

In addition, the attacker can also remotely end the payload by working with a hardcoded critical in the rootkit and some fields of the magic packet used for remotely setting up the payload. 

Even with these perilous features, the Avast scientists claimed Syslogk could be noticed and its payload stopped.

“Fortunately, the rootkit has a functionality executed in the proc_generate function that exposes an interface in the /proc file procedure which reveals the rootkit when the price 1 is created into the file /proc/syslogk.”

When disclosed, the rootkit can be eradicated applying the rmmod Linux command.

“Kernel rootkits can be hard to detect and remove since these pieces of malware operate in a privileged layer,” the Avast researchers warned.

“This is why it is crucial for program directors and security providers to be conscious of this type of malware and generate protections for their customers as soon as achievable.”


Some components of this article are sourced from:
www.infosecurity-journal.com

Previous Post: «Cyber Security News ClubCiso Report Shows Material Security Incidents Reduced by 54% Compared to Last Year
Next Post: Patch Tuesday: Microsoft Issues Fix for Actively Exploited ‘Follina’ Vulnerability Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • CISA Unveils Ransomware Notification Initiative
  • WooCommerce Patches Critical Plugin Flaw Affecting Half a Million Sites
  • GitHub Updates Security Protocol For Operations Over SSH
  • Malicious Python Package Uses Unicode Trickery to Evade Detection and Steal Data
  • Some GitHub users must take action after RSA SSH host key exposed
  • THN Webinar: Inside the High Risk of 3rd-Party SaaS Apps
  • Pension Protection Fund confirms employee data exposed in GoAnywhere breach
  • GitHub Swiftly Replaces Exposed RSA SSH Key to Protect Git Operations
  • Now UK Parliament Bans TikTok from its Network and Devices
  • IRS Phishing Emails Used to Distribute Emotet

Copyright © TheCyberSecurity.News, All Rights Reserved.