EXECUTIVE SUMMARY
A highly adaptable and resilient Linux rootkit, OrBit, has been tracked across multiple deployments, revealing a complex evolution of the malware. OrBit is a repackaged and selectively weaponized build of Medusa, an open-source LD_PRELOAD rootkit published on GitHub. Initially discovered, OrBit has undergone significant changes, with multiple operators contributing to its development. The rootkit's primary goal is to achieve persistence and data theft, using SSH backdoors and PAM-based credential harvesting.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A highly adaptable and resilient Linux rootkit, OrBit, has been tracked across multiple deployments, revealing a complex evolution of the malware. OrBit is a repackaged and selectively weaponized build of Medusa, an open-source LD_PRELOAD rootkit published on GitHub. Initially discovered, OrBit has undergone significant changes, with multiple operators contributing to its development. The rootkit's primary goal is to achieve persistence and data theft, using SSH backdoors and PAM-based credential harvesting.[emaillocker id="1283"]
OrBit infects systems through a shared library (.so) that achieves persistence by patching the dynamic linker, specifically modifying ld.so to ensure the malicious library is loaded into every process on the system. Once installed, OrBit hooks into PAM functions to harvest credentials from SSH and sudo authentication attempts, storing the captured passwords locally. The malware stores its harvested credentials and configuration data in a directory that remains invisible to standard enumeration thanks to the rootkit's own hooks. OrBit's evasion capabilities are comprehensive, hooking over forty libc functions to hide files, processes, and network connections from administrators and security tools alike.
The continued emergence of new OrBit samples, accompanied by operator-specific credential rotation, confirms that a single public rootkit codebase is being cloned and configured by multiple unrelated actor groups. Organisations should remain vigilant and take proactive steps to defend against OrBit and similar threats. This includes ensuring systems are patched and up-to-date, implementing robust monitoring and logging, and maintaining regular backups. Endpoint protection should also be prioritised, with a focus on detecting and preventing lateral movement and data exfiltration.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1078 | Valid Accounts | — |
| Persistence | T1053.003 | Scheduled Task/Job | Cron |
| Defense Evasion | T1574.006 | Hijack Execution Flow | Dynamic Linker Hijacking |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Collection | T1040 | Network Sniffing | — |
| Command and Control | T1105 | Ingress Tool Transfer | — |
REFERENCES:
reports contain further technical details:
https://intezer.com/blog/orbit-returns/
https://cybersecuritynews.com/hackers-use-orbit-rootkit-to-harvest-ssh/