LinkPro Linux Rootkit Uses eBPF to Hide and Activates via Magic TCP Packets

An investigation into the compromise of an Amazon Web Services (AWS)-hosted infrastructure has led to the discovery of a new GNU/Linux rootkit dubbed LinkPro, according to findings from Synacktiv.

“This backdoor features functionalities relying on the installation of two eBPF [extended Berkeley Packet Filter] modules, on the one hand to conceal itself, and on the other hand to be remotely activated upon receiving a 'magic packet,’” security researcher Théo Letailleur said.

The infection, per the French cybersecurity company, involved the attackers exploiting an exposed Jenkins server vulnerable to CVE-2024–23897 as the starting point, following which a malicious Docker Hub image named “kvlnt/vv” (now removed) was deployed on several Kubernetes clusters.

The Docker image consists of a Kali Linux base along with a folder called “app” containing three files -

• start.sh, a shell script to start the SSH service and execute the remaining two files
• link, an open-source program called vnt that acts as a VPN server and provides proxy capabilities by connecting to vnt.wherewego[.]top:29872, allowing the attacker to connect to the compromised server from anywhere and use it as a proxy to reach other servers
• app, a Rust-based downloader referred to as vGet that receives an encrypted VShell payload from an S3 bucket, which then proceeds to communicate with its own command-and-control (C2) server (56.155.98[.]37) over a WebSocket connection

Also delivered to the Kubernetes nodes were two other malware strains, a dropper embedding another vShell backdoor and LinkPro, a rootkit written in Golang. The stealthy malware can operate in either passive (aka reverse) or active (aka forward) mode, depending on its configuration, allowing it to listen for commands from the C2 server only upon receiving a specific TCP packet or directly initiate contact with the server.

While the forward mode supports five different communication protocols, including HTTP, WebSocket, UDP, TCP, and DNS, the reverse mode only uses the HTTP protocol. The overall sequence of events unfolds as follows -

• Install the “Hide” eBPF module, which contains eBPF programs of the Tracepoint and Kretprobe types to hide its processes and network activity
• If the “Hide” module installation fails, or if it has been disabled, install the shared library “libld.so” in /etc/ld.so.preload
• If reverse mode is used, install the “Knock” eBPF module, which contains two eBPF programs of the eXpress Data Path (XDP) and Traffic Control (TC) types to ensure that the C2 communication channel is fired only upon the receipt of the magic packet
• Achieve persistence by setting up a systemd service
• Execute C2 commands
• On interruption (SIGHUP, SIGINT, and SIGTERM signals), uninstall the eBPF modules and delete the modified /etc/libld.so and restore it back to its original version

To achieve this, LinkPro modifies the “/etc/ld.so.preload” configuration file to specify the path of the libld.so shared library embedded within it with the main objective of concealing various artifacts that could reveal the backdoor’s presence.

“Thanks to the presence of the /etc/libld.so path in /etc/ld.so.preload, the libld.so shared library installed by LinkPro is loaded by all programs that require /lib/ld-linux.so14,” Letailleur explained. “This includes all programs that use shared libraries, such as glibc.”

“Once libld.so is loaded at the execution of a program, for example /usr/bin/ls, it hooks (before glibc) several libc functions to modify results that could reveal the presence of LinkPro.”

The magic packet, per Synacktiv, is a TCP packet with a window size value of 54321. Once this packet is detected, the Knock module saves the source IP address of the packet and an associated expiration date of one hour as its value. The program then keeps an eye out for additional TCP packets whose source IP address matches that of the already saved IP.

In other words, the core functionality of LinkPro is to wait for a magic packet to be sent, after which the threat actor has a one-hour window to send commands to a port of their choice. The Knock module is also designed to modify the incoming TCP packet’s header to replace the original destination port with LinkPro’s listening port (2333), and alter the outgoing packet to replace the source port (2233) with the original port.

“The purpose of this maneuver is to allow the operator to activate command reception for LinkPro by going through any port authorized by the front-end firewall,” Synacktiv said. “This also makes the correlation between the front-end firewall logs and the network activity of the compromised host more complex.”

The commands supported by LinkPro include executing /bin/bash in a pseudo-terminal, running a shell command, enumerating files and directories, performing file operations, downloading files, and setting up a SOCKS5 proxy tunnel. It’s currently not known who is behind the attack, but it’s suspected that the threat actors are financially motivated.

“For its concealment at the kernel level, the rootkit uses eBPF programs of the tracepoint and kretprobe types to intercept the getdents (file hiding) and sys_bpf (hiding its own BPF programs) system calls. Notably, this technique requires a specific kernel configuration (CONFIG_BPF_KPROBE_OVERRIDE),” the company said.

“If the latter is not present, LinkPro falls back on an alternative method by loading a malicious library via the /etc/ld.so.preload file to ensure the concealment of its activities in user space.”

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.