{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dynamic-linker/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Linux operating system"],"_cs_severities":["high"],"_cs_tags":["persistence","linux","dynamic-linker","shared-object"],"_cs_type":"advisory","_cs_vendors":["Linux"],"content_html":"\u003cp\u003eThis brief addresses a persistence technique where attackers copy the Linux dynamic linker binary (ld-linux-x86-64.so.2) and subsequently create or modify shared object files (.so), often after modifying \u003ccode\u003e/etc/ld.so.preload\u003c/code\u003e.  This activity has been observed in Linux malware campaigns, where attackers aim to inject and preload malicious shared objects.  The dynamic linker is a crucial component for loading shared libraries, making it a valuable target for attackers seeking to establish persistence and execute malicious code. Recent malware, such as Orbit, has used this technique, making it critical to detect this behavior. The detection focuses on identifying processes involved in copying the dynamic linker, modifications to \u003ccode\u003e/etc/ld.so.preload\u003c/code\u003e, and the creation of suspicious shared object files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system, possibly through exploitation of a vulnerability or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecp\u003c/code\u003e, \u003ccode\u003ersync\u003c/code\u003e, or \u003ccode\u003emv\u003c/code\u003e to create a backup copy of the dynamic linker (\u003ccode\u003e/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\u003c/code\u003e, \u003ccode\u003e/lib64/ld-linux-x86-64.so.2\u003c/code\u003e, \u003ccode\u003e/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\u003c/code\u003e, or \u003ccode\u003e/usr/lib64/ld-linux-x86-64.so.2\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the original dynamic linker binary to inject malicious code or alter its functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a shared object (.so) file containing malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003e/etc/ld.so.preload\u003c/code\u003e file to include the path to the malicious shared object. This ensures that the malicious shared object is loaded by every program that uses the dynamic linker.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a program that relies on the dynamic linker, triggering the loading of the malicious shared object.\u003c/li\u003e\n\u003cli\u003eThe malicious shared object executes its payload, potentially leading to code execution, privilege escalation, or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by ensuring the malicious shared object continues to be loaded on system startup or during regular program execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack allows the attacker to achieve persistence on the compromised Linux system. This can lead to long-term control over the system, allowing the attacker to steal sensitive data, install backdoors, or use the system as a launching point for further attacks within the network. The Intezer report referenced in the brief highlights the use of this technique by the Orbit malware, demonstrating its real-world impact. The targeted sectors can be broad, depending on the attacker's objectives, and can include any organization relying on Linux systems for critical infrastructure or sensitive data storage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026quot;Dynamic Linker Copy and Shared Object Creation\u0026quot; Sigma rule to your SIEM to detect suspicious file copy operations and shared object creation activities.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003e/etc/ld.so.preload\u003c/code\u003e file modifications using a file integrity monitoring (FIM) system and correlate with process creation events related to \u003ccode\u003ecp\u003c/code\u003e, \u003ccode\u003ersync\u003c/code\u003e, and \u003ccode\u003emv\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring with command-line argument logging to capture the full command executed by processes like \u003ccode\u003ecp\u003c/code\u003e, \u003ccode\u003ersync\u003c/code\u003e, and \u003ccode\u003emv\u003c/code\u003e. This will help identify cases where the dynamic linker is being targeted.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule and analyze the involved processes, files, and user accounts to determine if malicious activity is present. Reference the investigation steps in the rule's \u003ccode\u003enote\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of shared objects (.so files) in unusual directories and correlate these events with modifications to \u003ccode\u003e/etc/ld.so.preload\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-dynamic-linker-copy/","summary":"This brief outlines detection strategies for Linux systems where the dynamic linker binary is copied and a shared object file is created, a technique used by malware to inject malicious shared objects by patching the dynamic linker.","title":"Linux Dynamic Linker Copy and Shared Object Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-dynamic-linker-copy/"}],"language":"en","title":"CraftedSignal Threat Feed - Dynamic-Linker","version":"https://jsonfeed.org/version/1.1"}