A sophisticated rootkit named LinkPro has been identified, targeting GNU/Linux systems by leveraging advanced eBPF (extended Berkeley Packet Filter) technology to conceal its malicious activities. This discovery emerged during a forensic investigation of a compromised AWS-hosted infrastructure, where LinkPro functioned as a stealthy backdoor capable of process hiding and remote activation via specially crafted network packets.
Infection Vector and Deployment
The initial breach occurred through a vulnerable Jenkins server (CVE-2024-23897) exposed to the internet. Attackers exploited this vulnerability to deploy a malicious Docker image named `kvlnt/vv` across multiple Amazon EKS Kubernetes clusters. This image contained several components:
– VPN Proxy Tool: Facilitated unauthorized network access.
– Downloader Malware (vGet): Responsible for retrieving additional malicious payloads.
– LinkPro Rootkit: The primary tool for maintaining stealthy access and control over the compromised systems.
The Docker configuration granted full filesystem access with root privileges, enabling the attackers to escape the container environment and harvest credentials from other pods within the Kubernetes clusters.
Technical Analysis of LinkPro
Identified by SynAcktiv researchers, LinkPro is an undocumented backdoor developed in Golang. It operates in two distinct modes:
1. Passive Reverse Mode: Awaits commands after receiving a specific TCP magic packet.
2. Active Forward Mode: Initiates direct command-and-control communication with the attackers.
To achieve stealth, LinkPro employs a dual-layer approach using two eBPF modules:
– Hide eBPF Module: Intercepts critical system calls such as `getdents` and `sys_bpf` using tracepoints and kernel return probes. This effectively conceals files, processes, and its own eBPF programs from standard enumeration tools.
– Knock eBPF Module: Utilizes XDP (eXpress Data Path) and TC (Traffic Control) programs to monitor network traffic for a specific magic packet—a TCP SYN packet with a window size of 54321. Upon detection, it stores the source IP in a `knock_map` with a one-hour expiration and dynamically rewrites incoming packet headers to redirect traffic from any external port to LinkPro’s internal listening port 2233.
This sophisticated network manipulation allows LinkPro to establish a covert communication channel, effectively bypassing firewall rules and maintaining persistent access to the compromised system.
Persistence Mechanisms
LinkPro ensures its persistence by masquerading as the legitimate `system-resolved` service. It creates a deceptive system unit file at `/etc/system/system/systemd-resolveld.service` and copies the malicious binary to `/usr/lib/.system/.tmp~data.resolveld`, modifying timestamps to match legitimate system files. This tactic makes detection and removal more challenging.
Capabilities and Impact
Once operational, LinkPro provides attackers with comprehensive remote access capabilities, including:
– Interactive Shell Sessions: Allowing direct command execution on the compromised system.
– File Management Operations: Enabling the upload, download, and manipulation of files.
– SOCKS5 Proxy Tunneling: Facilitating the routing of network traffic through the infected host.
– Data Exfiltration: Transmitting stolen data in Base64-encoded chunks.
The malware supports multiple communication protocols, including HTTP, WebSocket, TCP, UDP, and DNS tunneling, with exchanges encrypted using XOR operations. This versatility enhances its ability to evade detection and maintain control over the infected systems.
Detection and Mitigation Strategies
Organizations should implement the following measures to detect and mitigate the threat posed by LinkPro:
1. Monitor Systemd Service Files: Regularly inspect for suspicious or unauthorized service files, particularly those mimicking legitimate services.
2. Analyze eBPF Program Activity: Utilize tools capable of detecting unusual eBPF program behavior, as traditional monitoring tools may not effectively identify such activities.
3. Restrict eBPF Usage: Limit the use of eBPF to trusted applications and users to reduce the risk of exploitation.
4. Update Vulnerable Software: Ensure that all software, especially publicly accessible services like Jenkins, are updated to the latest versions to patch known vulnerabilities.
5. Implement Network Segmentation: Isolate critical systems and services to minimize the potential impact of a compromise.
6. Conduct Regular Security Audits: Perform comprehensive security assessments to identify and remediate potential weaknesses in the infrastructure.
By adopting these proactive measures, organizations can enhance their defenses against sophisticated threats like the LinkPro rootkit and safeguard their GNU/Linux systems from unauthorized access and data breaches.
