AL2022_46 OrBit malware steals information from Linux devices. (20th July 2022)


A newly discovered Linux malware is being used to steal information from backdoored Linux systems and has the potential of infecting all running processes. 


This malware, named OrBit, hijacks shared libraries to intercept function calls by modifying the LD_PRELOAD environment variable on compromised devices. 

How it Works   

When the malicious software is installed, it immediately begins infecting all processes running on the device, including any new processes that are launched. The malware employs advanced evasion techniques and gains persistence on the machines by hooking key functions. It also grants threat actors remote access via SSH (Secure Socket Shell), harvests credentials, and logs TTY (teletypewriter) commands. The malware loads the dangerous library in one of two ways. 

The first method is to include the shared object in the loader's configuration file. 

The second method entails modifying the loader's binary file so that when it is invoked, it loads the malicious shared object. 


Anti-malware vendors have updated their products to detect this malware. A list of these vendors along with the malware detection names can be found at the following URL:  

 The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.  

PDF Download: OrBit malware steals information from Linux devices.pdf