Malware News Pokemon-Themed Umbreon Rootkit Targets Linux x86 and ARM Platforms

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Security researchers at Trend Micro have discovered a new rootkit trojan that targets only Linux-based systems running on x86 and ARM (Raspberry Pi) platforms.

The rootkit's name is Umbreon, taken after the name of a Pokemon creature that hides in the shadows, a fitting name for a rootkit.

Attacker installs Umbreon by hand, on each device
According to Trend Micro, threat actors have used Umbreon in live attacks, the company receiving samples to analyze from compromised devices.

The good news is that Umbreon's installation is not automated, and attackers need to break into a system first, and then manually install the rootkit on the hacked device.

This installation procedure has its negative side as well, mainly because attackers can install the rootkit in a different location of the infected system each time, making automatic detection even harder than it already is.

Umbreon hooks into libc and libpcap
Detecting Umbreon is not an easy task at all. Because the trojan injects itself in libc functions, only tools that don't use this library can detect it.

The GNU C Library (libc) is a basic component of many of today's programming language compilers, such as Ruby, PHP, Perl, Python, and more. As such, tools coded in these languages won't be able to detect Umbreon, who will be able to identify any search commands for its folder or location, hide itself, and then use libc to tamper with the results.

Trend Micro says that only tools coded to use Linux kernel syscalls directly will be able to bypass the rootkit's watching eye. The company says it created one such tool, but has not released it to the public. Nevertheless, it released some removal instructions on its site.

Umbreon, which is a ring 3 (user level) rootkit, is somewhat easy to remove compared to a ring 0 rootkit, but non-technical administrators may break their OS if they're not careful.

Attackers can use Umbreon to open SSH tunnels to infected hosts
As for its technical capabilities, Umbreon is a very dangerous tool, with the ability to persist between reboots, intercept all network traffic, intercept and alter terminal commands, and even open a connection to the attacker, allowing him to log on the victim's device.

The Pokemon theme continues throughout the rootkit's code because the SSH backdoor component that allows attackers to access devices is called Espeon, the name of another Pokemon creature.

Just like Umbreon hooks into libc to intercept terminal commands, the rootkit also hooks into libpcap in order to intercept network traffic and hide its C&C communications, and the attacker's SSH sessions.

All in all, this is the work of a very talented malware coder. Trend Micro says the threat actor has been active since at least 2013, and that he started developing Umbreon in early 2015.
 

Dave377

New Member
Mar 21, 2016
1
Hi, I just downloaded a new version of Kali 2016.2. It comes with a present from the government : Linux/Ebury



upload_2016-9-5_16-56-43.png
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top