Syslogk Linux Rootkit Detection: Novel Malware Used in the Wild

New kernel rootkit named Syslogk is getting traction, terrorizing the Linux OS users.

The novel rootkit malware is believed to be based on another Linux rootkit dubbed Adore-Ng – a loadable module used to infect the Linux OS kernel. While Syslogk’s operators are currently invested in its development, enhancing the functionality of the new rootkit, the number of affected devices already keeps mounting.

Detect Syslogk Linux Rootkit

The Sigma rule below, released by our keen Threat Bounty developer Kaan Yeniyol, allows for effortless detection of the latest attacks involving the Syslogk rootkit:

Threat Actors Use Syslogk Backdoor to Target Linux Machines (via file_event)

The rule is aligned with the MITRE ATT&CK® framework v.10. addressing the Execution tactic with the User Execution (T1204; T1204.002) technique.

Register to the SOC Prime Platform to achieve a thorough threat analysis and efficient detection opt with 185,000+ detection algorithms that integrate with every industry-leading SIEM, EDR, and XDR solution. To access the exhaustive library of Sigma rules, click the Detect & Hunt button below. Non-registered users can also try out an innovative SOC Prime solution for threat hunting – the Cyber Threat Search Engine. The Search Engine is a one-stop shop for exhaustive context on cyber threats and relevant Sigma rules, available for free. Give it a go by hitting the Explore Threat Context button. Have the detection content of your own to share? Apply for the Threat Bounty Program to contribute to the collaborative cyber defense while earning recurring rewards for your input.

Detect & Hunt Explore Threat Context

Syslogk Linux Rootkit Description

There has been a number of attacks recently affecting Linux systems. Today, Linux OS users are facing the emergence and active development of a novel highly-evasive rootkit malware dubbed Syslogk. The malware installs as kernel modules in the Linux OS. Adversaries utilize Syslogk to conceal their traces within the infected system, remain stealthy, and evade manual inspection. Besides, the new malware has the functionality to remotely start or stop payloads, widely used to fetch a C-based compiled backdoor trojan dubbed Rekoobe, activated by “magic packets” orchestrated by adversaries.

The first comprehensive analysis of the Syslogk Linux rootkit was released by security researchers from Avast. The experts pointed out that Rekoobe activation may result in such malicious actions as data theft, file manipulation, and account hijacking.

Take advantage of prolific collaboration with the global cybersecurity community of 23,000+ SOC professionals by joining SOC Prime’s platform. Defend against emerging threats and increase the efficiency of your threat detection capabilities!