A recent investigation into a compromised Amazon Web Services (AWS) infrastructure has unveiled a sophisticated GNU/Linux rootkit named LinkPro. This discovery, made by cybersecurity firm Synacktiv, highlights the evolving tactics of cyber adversaries in deploying stealthy malware.
LinkPro is engineered to utilize two extended Berkeley Packet Filter (eBPF) modules. One module is designed to conceal the rootkit’s presence, while the other enables remote activation upon receiving a specific magic packet. Security researcher Théo Letailleur from Synacktiv elaborated on this functionality, emphasizing the rootkit’s reliance on eBPF for both stealth and activation mechanisms.
Initial Compromise and Deployment
The attack commenced with the exploitation of an exposed Jenkins server vulnerable to CVE-2024-23897, a critical flaw with a CVSS score of 9.8. Leveraging this vulnerability, attackers deployed a malicious Docker Hub image named kvlnt/vv across multiple Kubernetes clusters. This image, now removed from Docker Hub, was based on Kali Linux and contained a directory labeled app with three key components:
1. start.sh: A shell script responsible for initiating the SSH service and executing subsequent files.
2. link: An open-source program known as vnt, functioning as a VPN server. It connects to vnt.wherewego[.]top:29872, allowing attackers to access the compromised server remotely and use it as a proxy to infiltrate other systems.
3. app: A Rust-based downloader termed vGet, which retrieves an encrypted VShell payload from an S3 bucket. This payload then establishes communication with its command-and-control (C2) server at 56.155.98[.]37 via a WebSocket connection.
In addition to these components, the attackers deployed two other malware strains on the Kubernetes nodes:
– vShell Backdoor: A dropper embedding another instance of the vShell backdoor.
– LinkPro Rootkit: A rootkit developed in Golang, capable of operating in two distinct modes:
– Passive (Reverse) Mode: Listens for commands from the C2 server only after receiving a specific TCP packet.
– Active (Forward) Mode: Initiates contact with the C2 server directly.
In forward mode, LinkPro supports multiple communication protocols, including HTTP, WebSocket, UDP, TCP, and DNS. Conversely, the reverse mode is limited to HTTP.
Operational Mechanisms
The operational sequence of LinkPro is intricate and involves several steps:
1. Installation of the Hide eBPF Module: This module employs Tracepoint and Kretprobe eBPF programs to obscure the rootkit’s processes and network activities.
2. Fallback Mechanism: If the Hide module installation fails or is disabled, LinkPro installs a shared library named libld.so in the /etc/ld.so.preload directory.
3. Deployment of the Knock eBPF Module: In reverse mode, this module utilizes eXpress Data Path (XDP) and Traffic Control (TC) eBPF programs to activate the C2 communication channel upon receiving the magic packet.
4. Persistence Establishment: LinkPro sets up a systemd service to ensure it remains active across system reboots.
5. Command Execution: The rootkit executes commands received from the C2 server.
6. Cleanup on Interruption: Upon receiving specific signals (SIGHUP, SIGINT, SIGTERM), LinkPro uninstalls the eBPF modules, deletes the modified /etc/libld.so, and restores it to its original state.
To maintain its stealth, LinkPro modifies the /etc/ld.so.preload configuration file to include the path to the embedded libld.so shared library. This modification ensures that the library is loaded by all programs requiring /lib/ld-linux.so14, including those using shared libraries like glibc. Once loaded, libld.so hooks several libc functions before glibc, altering results that could reveal LinkPro’s presence.
Magic Packet Activation
The magic packet is a TCP packet with a window size value of 54321. Upon detecting this packet, the Knock module records the source IP address and sets an expiration period of one hour. During this window, the module monitors for additional TCP packets from the same source IP. This mechanism allows the attacker a one-hour timeframe to send commands to a chosen port. The Knock module also modifies incoming TCP packet headers, replacing the original destination port with LinkPro’s listening port (2333) and altering outgoing packets to replace the source port (2233) with the original port. This tactic complicates the correlation between firewall logs and the network activity of the compromised host.
Command Capabilities
LinkPro supports a range of commands, including:
– Executing /bin/bash in a pseudo-terminal.
– Running shell commands.
– Enumerating files and directories.
– Performing file operations.
– Downloading files.
– Setting up a SOCKS5 proxy tunnel.
The identity of the attackers remains unknown, but there is speculation that they are financially motivated.
Technical Insights
For kernel-level concealment, LinkPro utilizes eBPF programs of the tracepoint and kretprobe types to intercept system calls like getdents (for file hiding) and sys_bpf (to hide its own BPF programs). This technique requires a specific kernel configuration (CONFIG_BPF_KPROBE_OVERRIDE). If this configuration is absent, LinkPro resorts to an alternative method by loading a malicious library via the /etc/ld.so.preload file to ensure its activities remain hidden in user space.
Conclusion
The discovery of LinkPro underscores the increasing sophistication of Linux-based rootkits and the challenges they pose to cybersecurity defenses. By leveraging advanced techniques like eBPF for stealth and activation, LinkPro exemplifies the evolving landscape of cyber threats targeting Linux systems.
