[MART] - Daily Diary #531 - Meet Syslogk and Rekoobe

CTAS-MAT ctas-mat at appgate.com
Tue Jun 14 21:25:33 UTC 2022

I hope everyone is doing well!

Below is the entry for today.

06/14/2022 - Diary entry #531

In our Daily Diary #367 we covered Rootkits, a type of malware designed to enable access to a privileged area of a system while staying hidden. Rootkits are, in general, pieces of malware that employ advanced techniques to escalate privilege and, after enough access is achieved, modify the system behavior to remain undetected.

Recently a new Rootkit malware, named Syslogk, was disclosed. Based on Adore-Ng, an open source kernel rootkit, Syslogk has the capability of hiding processes, files, kernel modules, and acting as a backdoor - executing malicious payloads received through magic network traffic packets. Once executed, Syslogk hooks systems APIs (the same technique described in our Daily Diary #393), replacing the APIs for directory listing, network traffic monitoring and others.

Syslogk was designed to launch Rekoobe, a backdoor based on Tiny SHell open-source project, stealthily receiving commands through a fake SMTP server.

Although based on open-source threats, both Rekoobe and Syslogk are dangerous pieces of malware very hard to detect. When dealing with rootkits it’s important to harden all the possible entry points in the infrastructure, segmenting networks to avoid lateral movements and shutting down connections to unknown addresses - doesn’t matter how inoffensive they seem to be. After a system is infected with a rootkit like Syslogk, high are the chances of Anti-Malware and Anti-Viruses solutions not being able to detect it, so it’s important to have enough monitoring and protections to catch it in the early stages.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Manager, MART

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220614/e286dae4/attachment.htm>

More information about the MART mailing list