""This backdoor features functionalities relying on the installation of two eBPF [extended Berkeley Packet Filter] modules, on the one hand to conceal itself, and on the other hand to be remotely activated upon receiving a 'magic packet,'" security researcher Théo Letailleur said. The infection, per the French cybersecurity company, involved the attackers exploiting an exposed Jenkins server vulnerable to CVE-2024-23897 as the starting point, following which a malicious Docker Hub image named "kvlnt/vv" (now removed) was deployed on several Kubernetes clusters."
"The Docker image consists of a Kali Linux base along with a folder called "app" containing three files - start.sh, a shell script to start the SSH service and execute the remaining two files link, an open-source program called vnt that acts as a VPN server and provides proxy capabilities by connecting to vnt.wherewego[.]top:29872, allowing the attacker to connect to the compromised server from anywhere and use it as a proxy to reach other servers"
"Also delivered to the Kubernetes nodes were two other malware strains, a dropper embedding another vShell backdoor and LinkPro, a rootkit written in Golang. The stealthy malware can operate in either passive (aka reverse) or active (aka forward) mode, depending on its configuration, allowing it to listen for commands from the C2 server only upon receiving a specific TCP packet or directly initiate contact with the server."
An AWS-hosted infrastructure compromise revealed a new GNU/Linux rootkit named LinkPro that relies on eBPF modules for concealment and remote activation. Attackers began by exploiting an exposed Jenkins server vulnerable to CVE-2024-23897 and deployed a malicious Docker Hub image named kvlnt/vv across multiple Kubernetes clusters. The Docker image used a Kali Linux base and included scripts and programs to start SSH, run a vnt VPN/proxy, and download an encrypted VShell payload from an S3 bucket, which connected to a C2 over WebSocket. Additional payloads included a dropper with vShell and the Golang-based LinkPro rootkit, which can operate in passive or active modes.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]