OrBit is rather nasty and can hide its presence in network activity by manipulating logs. The module hooks functions called in shared libraries, which is pretty common for malware, but it implements “advanced evasion techniques” and “remote capabilities over SSH.”
OrBit extracts the output of executed commands in specific files on the targeted machine. It accepts arguments to customize the installation path and other configurations such as payload content. OrBit has two installation modes: /lib/ for persistence and /dev/shm/ (shim-memory) for volatile.
The dropper prepares the environment and writes Python scripts that interact with the filesystem to deliver the payload and execute it with high privileges. It uses the environment variable LD_PRELOAD to hijack shared libraries. This approach can be found in other Linux malware, such as Symbiote. It also stores stolen data in specific files on the targeted machine.
The module “hooks multiple functions to prevent them from outputting information that might reveal the existence of the malicious shared library in the running processes or the files that are being used,” the researchers wrote.
However, by hooking functions in the Linux Pluggable Authentication Module to steal information from SSH connections, attackers can gain remote access while hiding network activity. The malware is hard to remove while the machine is running because of the two methods used to achieve persistence “in case one of them goes away.”
If administrators delete the file or restore the original version, the malware will either recreate or repatch it. In addition, the malware can monitor its own network activity and filter its own traffic. To achieve that, it hooks functions such as bind, connect, or pcap_packet_callback to log IP addresses and ports in the .ports file within the malware folder.
Classic antivirus software can't catch threats like OrBit that are specifically meant to evade them. Threat actors behind the malware seem to master Linux internals, as you would expect from such hackers, and their approach might inspire other groups. Some security vendors have updated their mapping after Intezer’s publication, but others are still not detecting the threat.