"Syslogk Linux Malware Has a Sneaky Way of Staying Hidden"

Syslogk is a newly discovered stealthy piece of Linux malware that delivers a backdoor, which remains hidden on the targeted machine until its controller transmits so-called 'magic packets' from anywhere on the Internet. According to Avast researchers, the Syslogk Linux rootkit distributes the Rekoobe backdoor Trojan and employs various techniques to keep the backdoor hidden until it is required. The version of Syslogk Avast analyzed was discovered to only work on older versions of the Linux kernel. However, the malware appears to be under development. Rekoobe malware has been used by APT31, also known as Zirconium, a Chinese state-sponsored threat actor. It is based on TinyShell, an open-source UNIX backdoor project. There are references in the Syslogk rootkit to TinyShell that date back to December 13, 2018. Meanwhile, Syslogk is primarily based on Adore-Ng, a Chinese open-source kernel rootkit for Linux. Syslogk adds new features to make the user-mode application and kernel rootkit more difficult to detect than Adore-Ng, which can already conceal files, processes, and the kernel module. This article continues to discuss the Avast researchers' findings surrounding the Syslogk Linux malware.

ZDNet reports "Syslogk Linux Malware Has a Sneaky Way of Staying Hidden"