Threat Research

Linux Threat Hunting: ‘Syslogk’ a kernel rootkit found under development in the wild – Avast Threat Labs

Securonix

Avast researchers document Syslogk, a Linux kernel rootkit under development in the wild that leverages Adore-Ng foundations to hide itself and a Rekoobe backdoor embedded in a fake SMTP server. The malware can be revealed, loaded, and controlled via on-demand “magic packets,” while using kernel hooks and a hidden file/directory layout to evade detection. #Syslogk #Rekoobe #AdoreNg #CentOS #LinuxRootkit #MagicPackets

Keypoints

  • Syslogk is a Linux kernel rootkit heavily based on Adore-Ng and discovered in the wild as a sample under active development.
  • The rootkit hides itself and its payload by hooking kernel functions (VFS, proc, and network-related hooks) and by manipulating Page Table Entries (PTEs).
  • The hidden backdoor payload is a trojan called Rekoobe, embedded in a fake SMTP server and detectable as ELF:Rekoobe by Avast’s engine.
  • Remote control is achieved via “magic packets” that start or stop the Rekoobe payload, with authentication via a hardcoded key and specific packet fields.
  • The rootkit exposes a /proc/syslogk interface to reveal itself on demand and can be removed with rmmod, highlighting its stealth toggling.
  • Syslogk hides directories, files, and processes (e.g., the PgSD93ql payload and related files) and manipulates Netstat output to avoid detection.
  • The attackers use a combination of kernel-space hooks and user-space execution (via call_usermodehelper) to spawn and manage the backdoor.

MITRE Techniques

  • [T1564.001] Hide Artifacts – File and Directory – The rootkit hides directories containing malicious files and itself from the OS. Quote: “…hides directories containing malicious files, effectively hiding them from the operating system.”
  • [T1036] Masquerading – The Rekoobe backdoor is embedded in a fake SMTP server that aims to appear legitimate. Quote: “When queried, it appears to be a legitimate SMTP server.”
  • [T1071.003] Application Layer Protocol: Mail – The Rekoobe payload is a backdoor within a fake SMTP server, using mail protocols for covert communication. Quote: “embedded in a fake SMTP server, which spawns a shell when it receives a specially crafted command.”
  • [T1059.004] Unix Shell – The rootkit starts the Rekoobe payload in user mode via /bin/sh and related kernel-to-userspace calls. Quote: “To execute the command that starts the Rekoobe backdoor, the rootkit executes the following command by combining the kernel APIs: call_usermodehelper_setup, call_usermodehelper_setfns, and call_usermodehelper_exec.”
  • [T1562.001] Impair Defenses – Kernel/Hooks – The rootkit modifies kernel memory (PTE) and hooks kernel symbols to hide artifacts and persist. Quote: “The rootkit uses the set_addr_rw and set_addr_ro rootkit functions, which adds or removes writing permissions to the Page Table Entry (PTE) structure.”

Indicators of Compromise

  • [Hash] Syslogk sample – 68facac60ee0ade1aa8f8f2024787244c2584a1a03d10cda83eeaf1258b371f2
  • [Hash] Rekoobe sample – 11edf80f2918da818f3862246206b569d5dcebdc2a7ed791663ca3254ede772d
  • [Hash] Other Rekoobe samples – fa94282e34901eba45720c4f89a0c820d32840ae49e53de8e75b2d6e78326074, and 2 more hashes
  • [File/Directory] Key files and paths – /proc/syslogk, /etc/rc-Zobk0jpi/PgSD93ql
  • [Process] PgSD93ql – hardcoded process name referenced by the rootkit for targeting/termination

Read more: https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/