LinkPro Linux Rootkit Uses eBPF to Evade Detection

A new Golang-based Linux rootkit named LinkPro has been discovered following an attack on a cloud-hosted infrastructure. The infection began with the exploitation of a vulnerable Jenkins server, leading to the deployment of malicious Docker images on Kubernetes clusters. LinkPro achieves stealth using advanced eBPF modules to hide its processes and network activity, activating its command-and-control functions only upon receiving a specific 'magic packet'. If kernel restrictions prevent eBPF use, the rootkit utilizes an alternative method to conceal its activities in user space. Once active, the malware grants attackers remote shell access, file operations, and SOCKS5 proxy tunneling capabilities.

Latest mentioned: 10-16

Earliest mentioned: 10-14

Sources

thehackernews.com wiz.io cybersum.net

Also Read

Cyber Espionage Campaign Targets Diplomats with PlugX Malware

A threat actor known as UNC6384 has been targeting European diplomatic entities in a cyber-espionage campaign since September. The group exploits a high-severity Windows vulnerability and uses refined social engineering tactics to deliver PlugX malware. The campaign, which initially targeted entities in specific regions, is expanding across the broader diplomatic community. The attack chain involves spear-phishing emails leading to malicious LNK files that exploit the vulnerability and execute obfuscated PowerShell commands. Researchers recommend organizations review and block command-and-control infrastructures and conduct security awareness training to mitigate such attacks.

11-01Read more →