OrBit – Undetected Linux Malware Uses Unseen Hijack Method to Attack Linux Systems´┐╝

Servers and cloud computing infrastructures are commonly powered by Linux, a popular operating system. And recently a new and completely undetected Linux threat referred to as OrBit has been discovered by cyber security researchers at Intezer.

It is possible to install it either as a persistent implant or as a volatile implant, depending on its needs. By hooking key functions on the computer, the malware employs advanced evasion techniques. Among the features provided to threat actors are:-

  • Remote access capabilities over SSH
  • Harvests credentials
  • Logs TTY commands
Hooked stat function in the malware

This is the point at which any running processes on the machine, including new processes that have been started, will be infected by the malware once it has been installed.

Technical Analysis

There are two ways in which this malware loads the malicious library, in contrast to other threats that hijack shared libraries by modifying the LD_PRELOAD environment variable.

While here below we have mentioned those two ways:-

  • As a first step, the shared object can be added to the configuration file.
  • Secondly, to load the malicious shared object we can patch the binary of the loader.

Upon installation, the dropper creates the environment for the malware to run in and installs the payload into the environment. Based on the arguments provided on the command line, it extracts the payload to the preferred location based on the location referred to above.

According to the report, It is possible to swap the installation path through the command line arguments, as well as to update or uninstall the payload completely using the command line arguments.

Stealthy Malware

After BPFDoor, Symbiote, and Syslogk, OrBit is now known to be the fourth Linux malware to emerge within the last three months in a short period of time.

Like Symbiote, the malware targets all processes that are running on the compromised machine in order to spread. An ELF dropper file is used to begin the attack chain in order to extract the payload file (“libdl.so”) from the server.

It is also important to note that OrBit makes use of several stealthy methods ensuring that it can operate without being noticed at all. As a result these methods, it is capable of ensuring persistence and making the removal of the virus from infected computers quite difficult.

There is something particularly interesting about this malware in that it hooks to libraries almost hermetically on the machine it is attacking. 

As a result, the malware can get persistent, evade detection, and steal information as well as set up a backdoor for the SSH protocol in the process.

Security tools are failing to keep up with evolving threats that are targeting Linux, while simultaneously staying under the radar of threats targeting Linux. 

There are many examples of a new malware that can be extremely evasive and persistent in their methods, and OrBit is one such example.


BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.