Rootkit lets hackers open SSH connections to victim's device

Sep 5, 2016 15:55 GMT  ·  By

Security researchers at Trend Micro have discovered a new rootkit trojan that targets only Linux-based systems running on x86 and ARM (Raspberry Pi) platforms.

The rootkit's name is Umbreon, taken after the name of a Pokemon creature that hides in the shadows, a fitting name for a rootkit.

Attacker installs Umbreon by hand, on each device

According to Trend Micro, threat actors have used Umbreon in live attacks, the company receiving samples to analyze from compromised devices.

The good news is that Umbreon's installation is not automated, and attackers need to break into a system first, and then manually install the rootkit on the hacked device.

This installation procedure has its negative side as well, mainly because attackers can install the rootkit in a different location of the infected system each time, making automatic detection even harder than it already is.

Umbreon hooks into libc and libpcap

Detecting Umbreon is not an easy task at all. Because the trojan injects itself in libc functions, only tools that don't use this library can detect it.

The GNU C Library (libc) is a basic component of many of today's programming language compilers, such as Ruby, PHP, Perl, Python, and more. As such, tools coded in these languages won't be able to detect Umbreon, who will be able to identify any search commands for its folder or location, hide itself, and then use libc to tamper with the results.

Trend Micro says that only tools coded to use Linux kernel syscalls directly will be able to bypass the rootkit's watching eye. The company says it created one such tool, but has not released it to the public. Nevertheless, it released some removal instructions on its site.

Umbreon, which is a ring 3 (user level) rootkit, is somewhat easy to remove compared to a ring 0 rootkit, but non-technical administrators may break their OS if they're not careful.

Attackers can use Umbreon to open SSH tunnels to infected hosts

As for its technical capabilities, Umbreon is a very dangerous tool, with the ability to persist between reboots, intercept all network traffic, intercept and alter terminal commands, and even open a connection to the attacker, allowing him to log on the victim's device.

The Pokemon theme continues throughout the rootkit's code because the SSH backdoor component that allows attackers to access devices is called Espeon, the name of another Pokemon creature.

Just like Umbreon hooks into libc to intercept terminal commands, the rootkit also hooks into libpcap in order to intercept network traffic and hide its C&C communications, and the attacker's SSH sessions.

All in all, this is the work of a very talented malware coder. Trend Micro says the threat actor has been active since at least 2013, and that he started developing Umbreon in early 2015. Softpedia understands that the source code of an older Umbreon version (2.21) had leaked online last year.

ASCII art when connecting via SSH to an Umbreon infected device
ASCII art when connecting via SSH to an Umbreon infected device

Photo Gallery (3 Images)

Umbreon Pokemon character
ASCII art when connecting via SSH to an Umbreon infected deviceUmbreon source code leaked online in 2015
Open gallery