Trend Micro researchers have discovered a stealthy new rootkit family named after Pokemon character Umbreon which could allow hackers to remotely control targeted devices.
The rootkit has been designed to target Linux systems – including those running Intel and ARM chips – meaning it could be used to access embedded computing devices, wrote senior threat researcher, Fernando Mercês.
It appears to have been written specifically for three platforms – x86, x86-64 and ARM (Raspberry Pi) – and is highly portable, having been written in pure C apart from some additional tools in Python and Bash.
On installation it creates a backdoor account which can be accessed by any Linux-supported authentication method.
“This is a non-promiscuous libpcap-based backdoor written in C that spawns a shell when an authenticated user connects to it. (The attackers also named this component after a Pokémon – this time Espeon, which has pronounced ears.) It can be instructed to establish a connection to an attacker machine, functioning as a reverse shell to bypass firewalls,” explained Mercês.
“Espeon captures all TCP traffic that reaches the main Ethernet interface of the affected computer. Once it receives a TCP packet with some special field values, it then connects back to the source IP of this TCP packet.”
As per most rootkits, detection is far from easy and requires a tool which doesn’t use libc.
“One way is to develop a small tool to list the contents of the default Umbreon rootkit folder using Linux kernel syscalls directly,” said Mercês.
“This bypasses any malicious C library installed by Umbreon. If the output contains one or more files with names starting with libc.so followed by a random integer, this is the red flag that suggests Umbreon is installed in the machine.”
The Trend Micro team has also created a set of Yarra rules to detect the rootkit.
Espeon is a ring 3, or ‘usermode,’ rootkit, meaning it can be removed, although Trend Micro warned that inexperienced users may break the system, making it unrecoverable.
The best way to remove it safely is booting an affected machine with Linux LiveCD, the blog concluded.