• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
Cyber Security News

New Syslogk Linux Kernel Rootkit Uses “Magic Packets” to Trigger Remote Backdoor Access

You are here: Home / General Cyber Security News / New Syslogk Linux Kernel Rootkit Uses “Magic Packets” to Trigger Remote Backdoor Access
June 14, 2022

A new Linux kernel rootkit dubbed ‘syslogk’ has been spotted in the wild by Avast cybersecurity researchers.

According to an advisory by David Álvarez and Jan Neduchal, syslogk would be ready to cloak a destructive payload that could then be remotely managed by an adversary using a magic network visitors packet.

Avast discussed that the rootkit, at the moment beneath improvement, is closely primarily based on Adore-Ng (an more mature Linux rootkit) but incorporates new code and functionalities, thus earning the consumer-method software and the kernel rootkit more difficult to detect.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


“After loading it, you will discover that the destructive driver does not show up in the listing of loaded kernel modules when utilizing the lsmod command.”

This is because the rootkit employs a operate of the kernel API to take away the module from the joined list of kernel modules. 

Moreover, Syslogk can also disguise directories that contains malicious information, jointly with destructive processes and payloads.

From a technological standpoint, Avast explained that Syslogk’s destructive payload is not continuously running. 

“The attacker remotely executes it on demand from customers when a specially crafted TCP packet […] is sent to the infected equipment, which inspects the site visitors by setting up a netfilter hook.”

In addition, the attacker can also remotely end the payload by working with a hardcoded critical in the rootkit and some fields of the magic packet used for remotely setting up the payload. 

Even with these perilous features, the Avast scientists claimed Syslogk could be noticed and its payload stopped.

“Fortunately, the rootkit has a functionality executed in the proc_generate function that exposes an interface in the /proc file procedure which reveals the rootkit when the price 1 is created into the file /proc/syslogk.”

When disclosed, the rootkit can be eradicated applying the rmmod Linux command.

“Kernel rootkits can be hard to detect and remove since these pieces of malware operate in a privileged layer,” the Avast researchers warned.

“This is why it is crucial for program directors and security providers to be conscious of this type of malware and generate protections for their customers as soon as achievable.”


Some components of this article are sourced from:
www.infosecurity-journal.com

Previous Post: «Cyber Security News ClubCiso Report Shows Material Security Incidents Reduced by 54% Compared to Last Year
Next Post: Patch Tuesday: Microsoft Issues Fix for Actively Exploited ‘Follina’ Vulnerability Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • New Variant of Banking Trojan BBTok Targets Over 40 Latin American Banks
  • How to Interpret the 2023 MITRE ATT&CK Evaluation Results
  • Iranian Nation-State Actor OilRig Targets Israeli Organizations
  • High-Severity Flaws Uncovered in Atlassian Products and ISC BIND Server
  • Apple Rushes to Patch 3 New Zero-Day Flaws: iOS, macOS, Safari, and More Vulnerable
  • Mysterious ‘Sandman’ Threat Actor Targets Telecom Providers Across Three Continents
  • Researchers Raise Red Flag on P2PInfect Malware with 600x Activity Surge
  • The Rise of the Malicious App
  • China Accuses U.S. of Decade-Long Cyber Espionage Campaign Against Huawei Servers
  • Cyber Group ‘Gold Melody’ Selling Compromised Access to Ransomware Attackers

Copyright © TheCyberSecurity.News, All Rights Reserved.