Chinese Hackers Have Unleashed a Never-Before-Seen Linux Backdoor

Researchers have discovered a never-before-seen backdoor for Linux that's being used by a threat actor linked to the Chinese government. From a report: The new backdoor originates from a Windows backdoor named Trochilus, which was first seen in 2015 by researchers from Arbor Networks, now known as Netscout. They said that Trochilus executed and ran only in memory, and the final payload never appeared on disks in most cases. That made the malware difficult to detect. Researchers from NHS Digital in the UK have said Trochilus was developed by APT10, an advanced persistent threat group linked to the Chinese government that also goes by the names Stone Panda and MenuPass.

Other groups eventually used it, and its source code has been available on GitHub for more than six years. Trochilus has been seen being used in campaigns that used a separate piece of malware known as RedLeaves. In June, researchers from security firm Trend Micro found an encrypted binary file on a server known to be used by a group they had been tracking since 2021. By searching VirusTotal for the file name, ââlibmonitor.so.2, the researchers located an executable Linux file named "mkmon." This executable contained credentials that could be used to decrypt the libmonitor.so.2 file and recover its original payload, leading the researchers to conclude that "mkmon" is an installation file that delivered and decrypted libmonitor.so.2.

The Linux malware ported several functions found in Trochilus and combined them with a new Socket Secure (SOCKS) implementation. The Trend Micro researchers eventually named their discovery SprySOCKS, with "spry" denoting its swift behavior and the added SOCKS component. SprySOCKS implements the usual backdoor capabilities, including collecting system information, opening an interactive remote shell for controlling compromised systems, listing network connections, and creating a proxy based on the SOCKS protocol for uploading files and other data between the compromised system and the attacker-controlled command server.

Never-Before-Seen

[NateFromMich]

Proceeds to tell us its rather long history.

Re:Never-Before-Seen

[jonadab]

I'm more concerned that they're abusing the word "backdoor" (which is meant to imply a deliberately included but secret feature of the software in question, in this case Linux), and you have to read nearly half the summary to find out that what they're actually talking about is malware that lets an attacker get in repeatedly once they've compromised the system in the first place and installed it. The traditional term for that is "rootkit".

Re:

[bloodhawk]

Long since given up flailing at that windmill. Everything from hacker, troll, back-door, virus, trojan etc are incorrectly used by quasi journalists more often then they are used correctly.

Re:Never-Before-Seen

[saloomy]

Yes. This isn't a "linux back door" which would imply some root access elevation in the Kernel via some magic network packet or something scary like that. It is a remote access tool one has to get onto the system. It has clever hiding techniques. But nothing built into linux. Nothing it seems Linux should even patch to prevent. Just some anti-malware tools need to look out for.

Re:

[mysidia]

Nothing it seems Linux should even patch to prevent

There is something, but it may be a difficult patch to write.

The capability to create "ephemeral code" the system will execute for you should not exist. The Executable binary files of programs should be Immutable; Only renaming within the same subdirectory allowed -- modification and Deletion / Unlinking a running binary especially should have been blocked by the system All along. Windows actually has a security advantage over Linux in this area:

Re:

[Anonymous Coward]

So you are proposing banning lisp, forth, perl, python, ruby and many other languages too? Especially those with "eval" or similar.

I'm thinking your cure is worse than the disease.

Re:

[jonadab]

> Windows actually has a security advantage over Linux in this area: if Xyz.dll is a
> running program, then you are Not able to delete Xyz.dll so long as it continues to run.

Please don't call that an advantage. Needing to reboot the system in order to install any updates at all, is not an advantage. It's a flaw.

What we really should have, though, is built-in VMS-style file versioning. Ideally, I'd like to be able to adjust the settings (all files are versioned, files are versioned by default, files

Re:

[mysidia]

Please don't call that an advantage.
It is an advantage..

Needing to reboot the system in order to install any updates at all, is not an advantage. It's a flaw.

Your updates on Linux are not fully effective until you reboot, either.. It's not like Linux allows you to update a running program and make the new update live without shutting down and restarting that program.

It's a serious limitation, But it is Not something that immutable running binaries causes. I'm saying Only hard links to the binary shoul

Re: Never-Before-Seen

[jovius]

It used to be important to differentiate hackers - the good - from crackers - the bad. It is always downhill, resistance is futile.

Important question

[Okian Warrior]

I'm more concerned that they're abusing the word "backdoor" (which is meant to imply a deliberately included but secret feature of the software in question, in this case Linux), and you have to read nearly half the summary to find out that what they're actually talking about is malware that lets an attacker get in repeatedly once they've compromised the system in the first place and installed it. The traditional term for that is "rootkit".

And really useful information would be to tell everyone what the vulnerability is, and how to tell whether their own installation of linux is vulnerable.

The term "backdoor" implies a way in, and the shockingly clickbait headline implies that there's a vulnerability in linux.

From your post I assume that there is no new threat to linux, no backdoor that needs to be patched, and everyone can breathe a sigh of relief after having read the article headline.

Is that correct?

Re:Important question

[Narcocide]

Yes, this is just a rootkit. It's basically a remote access server that is clever at hiding itself. The attacker would have to already have administrative access to install it in the first place. This article is a hit job on Linux, and I suspect whoever wrote it is directly associated with the same criminals spreading the rootkit.

Re:Important question

[Narcocide]

Oh, and it's also not "never before seen" ... the summary goes on to say it was seen for at least 3 years on Windows prior to this.

Re:

[Shakrai]

The attacker would have to already have administrative access to install it in the first place. This article is a hit job on Linux

I don’t need admin access to install this rootkit. I just need to social engineer someone with admin access. That is, by far, the single biggest threat, independent of platform. It changed [wikipedia.org] a presidential election.

You think your people won’t fall for it? Think again.. It ain’t just spear phishing. You gonna bet there’s nobody on your team I can’t con with a sufficiently attractive member of the opposite sex who feigns interest in them? That’s the extreme, half the t

Re:

[JasterBobaMereel]

"I don’t need admin access to install this rootkit. I just need to social engineer someone with admin access" ... You have just said you don't need admin access and then described the most common method of getting Admin Access ...

But you are correct that this is regardless of system ..

Re:

[Shakrai]

You have just said you don't need admin access and then described the most common method of getting Admin Access

Because you're focusing on the wrong shit if you think Linux is going to keep you safe these days. Zero days notwithstanding, the threat isn't bugs in your OS, or user space software, the threat is social engineering. If you aren't drilling that ad nauseam into your users, friends, and family at every opportunity, you are doing yourself, your organization, and society as a whole a huge disservice.

I've seen highly educated relatively young (early 30s) people who grew up immersed in technology fall for spe

Re:

[ToasterMonkey]

I'm more concerned that they're abusing the word "backdoor" (which is meant to imply a deliberately included but secret feature of the software in question, in this case Linux), and you have to read nearly half the summary to find out that what they're actually talking about is malware that lets an attacker get in repeatedly once they've compromised the system in the first place and installed it. The traditional term for that is "rootkit".

Traditional since when? I've never heard of your definition.

This was a back door https://en.wikipedia.org/wiki/... [wikipedia.org]
Unauthorized remote access, and it was never deliberately included in anything, it was malware you'd infect some innocent executable with it and pass that off as a trojan.

This was a root kit https://en.wikipedia.org/wiki/... [wikipedia.org]
Unauthorized privilege escalation, and it didn't have any remote access.

They go together often, but remote access tools (back doors) don't need privilege escalation. Plenty

I am Jack's complete lack of surprise.

[denny_deluxe]

The Chinese government, stealing everything on earth that isn't nailed down? UNPOSSIBLE

I hate articles like this...

[dark.nebulae]

hey, I found a virus/trojan/whatever and this is what it does...

Well goodie for you.

How about you tell me how to determine if I might be infected? Or tell me how to prevent being infected? Or how to remove if I am infected?

You know, useful things that people outside of your little community might care about?

Re:

[Hugedatabase]

It's possible there isn't a solution if it's related to Microsoft. Even if there's a solution for a linux distribution, if the vulnerability originates from Microsoft key loggers any ping to a Microsoft server could in theory reintroduce the bug. Net send, now 'msg', is a significant security concern when it comes to zero trust networking.

Re:

[Narcocide]

It seems to be implied that it doesn't write itself to disk so it can't persist through a reboot.

Continuous uptime?

[jenningsthecat]

They said that Trochilus executed and ran only in memory, and the final payload never appeared on disks in most cases.

Sysadmins are often proud of how long their servers have been running without a reboot. If this kind of memory-resident exploit gains traction, might periodic reboots become part of routine server maintenance?

Re:

[ctilsie242]

Even Linux machines, there is always something kernel based that needs updating or some library that other stuff depends on, so Linux machines should see a reboot every month as well. Technically one can use ksplice, kexec or other ways to tap dance around a reboot... but nothing beats a reboot to ensure everything on a machine is in some known state.

As for this rootkit, there are many spots to hide it. Compromised firmware comes to mind.

Re:

[Chris Mattern]

"[N]othing beats a reboot to ensure everything on a machine is in some known state."

And nothing beats a reboot for ensuring that your reboot, you know, *works*. It's real fun to have to reboot your server in an emergency only to find out that its reboot setup is broken.

Re:

[Chris Mattern]

I have read advice to reboot your phone once a day precisely to clear possible memory-resident-only malware.

Re:

[93 Escort Wagon]

Sysadmins are often proud of how long their servers have been running without a reboot.

I knew idiots (typically NetWare admins) back in the 90s who were like this... but it's been many years since I've heard anyone (who gets paid, anyway) espouse this as a point of pride.

My servers and Linux workstations get rebooted at least quarterly - more often if there's a significant kernel patch that's come down the pike. I'd prefer to do it more often, but there are practical considerations (and only a few of my servers are exposed to the internet anyway - and those get updated more frequently).

Re:

[Anonymous Coward]

Sysadmins are often proud of how long their servers have been running without a reboot.

I knew idiots (typically NetWare admins) back in the 90s who were like this... but it's been many years since I've heard anyone (who gets paid, anyway) espouse this as a point of pride.

What, you do not have Slashdot Stats enabled?

Slashdot Stats
time: 06:40:09
uptime: 8 days, 13:22, 0 users,
load average: 1.05, 1.62, 1.44
processes: 134
totalhits: 13729216323

Re:

[sinkskinkshrieks]

0. Live patching exists in multiple forms for temporary patching until scheduled downtime can happen. 1. Uptime is only a useful metric for non-redundant systems to maintain overall availability. Add HA and exponential/blue-green continuous deployment, and there's no reason to be concerned about uptime of individual systems.

Paywalled source

[gavron]

Trend Micro has put the original article behind a $2,995 USD paywall.

The few tidbits (see referenced Ars article) lacks information:
1. How does this spread in the first place
2. How can inux admins prevent this
3. How can admins ensure their systems are free of this
4. How can admins remove this
5. What timeline exists from when the code was publicly posted to this revision

THAT information would be a lot more useful than any of this hype being repeated by the media --
usually there's that dog-whistle for "Microsoft is safe. Linux is a Chinese attack vector."

Re:Paywalled source

[PPH]

Trend Micro has put the original article behind a $2,995 USD paywall.

Yeah. I did a quick search for "libmonitor.so.2". It appears to be part of HPCToolkit*. Either a corrupted version or perhaps the whole thing is suspect. Many of the articles I can find describing this toolkit appear to be hosted on paywalled servers. Which means if one does fetch the article (per the services terms), do a bit of research on what this thing is really up to and attempts to publish their work, they could be stepping through a minefield of publication rights.

*HPCToolkit is advertised as a performance monitoring and profiling suite of tools aimed at High Performance Computing (parallel systems). The original tool kit may be clean (or maybe not) but this appears to be targeted at big systems doing "interesting" R&D of the type Chinese dearly love to get their hands on.

Re:

[JasterBobaMereel]

They would have to admit this is not a backdoor, not new, and not really an issue but a tool used by hackers who have already breached a system in other ways

Yes, so?

[gweihir]

This is just some remote access server. Obviously, you can write server software for Linux, that is no surprise at all. Also obviously, you can use most stealth tech for them on Linux too, because Linux has a good systems API. What this thing cannot do is compromise Linux systems and that is not its purpose.

Not a backdoor

[jarle.aase]

It's not a backdoor. It's just an application that can be deployed and run on Linux. One among thousands of other malicious applications funded by taxpayers in US, EU, China, Russia, Israel, Turkey etc.

Unleashed Chinese Linux Backdoor

[Mirnotoriety]

Do you have any clue how this Chinese Linux Backdoor can infect a Linux Desktop, without user action such as opening a malicious email attachment or clicking on a malicious Weblink.

To answer my own question:

‘In June, researchers from security firm Trend Micro found an encrypted binary file on a server known to be used by a group they had been tracking since 2021. By searching VirusTotal for the file name, libmonitor.so.2, the researchers located an executable Linux file named “mkmon.

Re:

[sinkskinkshrieks]

The only evidence this shows is a payload. Without an exploit, it's totally worthless. For defenders, knowing and patching the vulnerability the exploit uses (presumably a non-public 0day state actors bought through something like Zerodium) would be the main defense. Signature matching antivirus/antimalware is an after-the-fact intrusion detection defense-in-depth layer providing mostly awareness of unstealthy, known malware only.