A new tenacious stealthy rootkit that can allow attackers to have full control over Linux systems has recently been discovered by IT analysts.
Fernando Mercês, a senior threat researcher at security vendor Trend Micro reported that the malware – a rootkit family – is labelled after a character from the Pokémon game called Umbreon, a dark Pokémon that lurks in the night – a suitable trait for the rootkit.
The rootkit is manually installed via attacks into a system. It targets Linux systems, as well as systems running on both ARM and Intel x86-x64 processors, and expands the reach of its threat to embedded devices such as the Raspberry Pi ARM platform. This was made possible because of Umbreon’s compact structure, mainly written in the C programming language, without any platform-specific code to run into.
According to the information collected by IT Security Services Australia, Umbreon’s development began in early 2015, although its developer has been operating in the cybercrime scene since 2013. It has been bragged in private forums and IRC channels by a few actors that Umbreon is tough to detect but the researchers are able to find out how the rootkit works and how it tries to hide within a Linux environment.
Umbreon’s function is to open a backdoor and/or use a C&C server and provide an attacker a way to control and spy on the targeted machine. During installation, Umbreon sets up a valid Linux that an attacker can use via a backdoor into the system. This backdoor can be accessed through any verification methods backed by Linux. Although its execution code can only run in ring 3 protection level privilege or a user-level privilege, it works around this limitation by grappling into functions from core libraries for reading and writing files, creating processes, or transmitting network traffic.
The malware also carries another malware, dubbed Espeon, another type of Pokemon creature with large ears. This particular malware can be instructed to establish a contact with an attacker machine, all the while functioning as a reverse shell backdoor used to bypass firewalls.
To effectively hide the network traffic it generates, Umbreon blocks a network library utilised by Linux systems from returning any data about the transmission protocol packets the malware uses so that an administrator using the common tcpdump utility wouldn’t be able to see through Umbreon’s data traffic.
One way you can detect Umbreon is to create a small tool to tally all the contents of its default rootkit folder by applying Linux kernel syscall directly. This ignores any malicious C library applied by Umbreon. With this, you can check any file names starting with libc.so and give you a clue that your system is installed with Umbreon.
Since Umbreon is a user-level rootkit, it is possible to remove it manually by booting up the infected system with a Linux live CD or thumb drive, and then remove all the infected files. However, IT Services Australia warns that the process will create more problems for inexperienced users and might result in breaking the system and putting it in an irreparable state.