LinkPro Rootkit Attacking GNU/Linux Systems Using eBPF Module to Hide Malicious Activities

A sophisticated rootkit targeting GNU/Linux systems has emerged, leveraging advanced eBPF (extended Berkeley Packet Filter) technology to conceal malicious activities and evade traditional monitoring tools.

The threat, known as LinkPro, was discovered during a digital forensic investigation of a compromised AWS-hosted infrastructure, where it functioned as a stealthy backdoor with capabilities ranging from process hiding to remote activation via magic packets.

The infection chain began with a vulnerable Jenkins server (CVE-2024-23897) exposed to the internet.

Threat actors deployed a malicious Docker image named kvlnt/vv across several Amazon EKS Kubernetes clusters, containing a VPN proxy tool, a downloader malware called vGet, and the LinkPro rootkit.

The Docker configuration allowed full filesystem access with root privileges, enabling container escape and credential harvesting from other pods.

SynAcktiv researchers identified LinkPro as an undocumented backdoor developed in Golang. The rootkit operates in two modes: a passive reverse mode listening for commands after receiving a specific TCP magic packet, and an active forward mode initiating direct command-and-control communication.

Its dual-layer stealth approach relies on two eBPF modules for concealment, but automatically falls back to hijacking the dynamic linker through /etc/ld.so.preload when kernel configurations lack the required CONFIG_BPF_KPROBE_OVERRIDE option.

The rootkit achieves persistence by masquerading as the legitimate system-resolved service, creating a deceptive system unit file at /etc/system/system/systemd-resolveld.service.

The malicious binary is copied to /usr/lib/.system/.tmp~data.resolveld, with timestamps modified to match system files.

The Hide eBPF module intercepts critical system calls including getdents and sys_bpf using tracepoints and kernel return probes, effectively hiding files, processes, and its own eBPF programs from enumeration tools.

Advanced Network Manipulation Through eBPF

The Knock eBPF module demonstrates sophisticated network manipulation techniques. Using XDP (eXpress Data Path) and TC (Traffic Control) programs, LinkPro monitors network traffic for a magic packet—a TCP SYN packet with a window size of 54321.

Upon detection, the xdp_ingress program stores the source IP in a knock_map with a one-hour expiration window and dynamically rewrites incoming packet headers to redirect traffic from any external port to LinkPro’s internal listening port 2233.

if (tcph->syn && tcph->window == bpf_htons(MAGIC_WIN)) {
    __u64 exp = bpf_ktime_get_ns() + WIN_NS;
    bpf_map_update_elem(&knock_map, &sip_h, &exp, BPF_ANY);
    return XDP_DROP;
}

The complementary tc_egress program ensures outgoing responses have their source ports rewritten back to original values, creating a seamless tunnel that bypasses firewall rules.

Once operational, LinkPro provides comprehensive remote access including interactive shell sessions, file management operations, SOCKS5 proxy tunneling, and file exfiltration via Base64-encoded chunks.

The malware supports multiple protocols including HTTP, WebSocket, TCP, UDP, and DNS tunneling, with exchanges encrypted using XOR operations. Organizations should monitor for suspicious systemd service files and unusual eBPF program activity to detect such threats.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.