<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Shared-Object - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/shared-object/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/shared-object/feed.xml" rel="self" type="application/rss+xml"/><item><title>Linux Dynamic Linker Copy and Shared Object Creation</title><link>https://feed.craftedsignal.io/briefs/2024-01-dynamic-linker-copy/</link><pubDate>Tue, 09 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-dynamic-linker-copy/</guid><description>This brief outlines detection strategies for Linux systems where the dynamic linker binary is copied and a shared object file is created, a technique used by malware to inject malicious shared objects by patching the dynamic linker.</description><content:encoded><![CDATA[<p>This brief addresses a persistence technique where attackers copy the Linux dynamic linker binary (ld-linux-x86-64.so.2) and subsequently create or modify shared object files (.so), often after modifying <code>/etc/ld.so.preload</code>.  This activity has been observed in Linux malware campaigns, where attackers aim to inject and preload malicious shared objects.  The dynamic linker is a crucial component for loading shared libraries, making it a valuable target for attackers seeking to establish persistence and execute malicious code. Recent malware, such as Orbit, has used this technique, making it critical to detect this behavior. The detection focuses on identifying processes involved in copying the dynamic linker, modifications to <code>/etc/ld.so.preload</code>, and the creation of suspicious shared object files.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a Linux system, possibly through exploitation of a vulnerability or compromised credentials.</li>
<li>The attacker uses <code>cp</code>, <code>rsync</code>, or <code>mv</code> to create a backup copy of the dynamic linker (<code>/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2</code>, <code>/lib64/ld-linux-x86-64.so.2</code>, <code>/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2</code>, or <code>/usr/lib64/ld-linux-x86-64.so.2</code>).</li>
<li>The attacker modifies the original dynamic linker binary to inject malicious code or alter its functionality.</li>
<li>The attacker creates or modifies a shared object (.so) file containing malicious code.</li>
<li>The attacker modifies the <code>/etc/ld.so.preload</code> file to include the path to the malicious shared object. This ensures that the malicious shared object is loaded by every program that uses the dynamic linker.</li>
<li>The attacker executes a program that relies on the dynamic linker, triggering the loading of the malicious shared object.</li>
<li>The malicious shared object executes its payload, potentially leading to code execution, privilege escalation, or data exfiltration.</li>
<li>The attacker maintains persistence by ensuring the malicious shared object continues to be loaded on system startup or during regular program execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful execution of this attack allows the attacker to achieve persistence on the compromised Linux system. This can lead to long-term control over the system, allowing the attacker to steal sensitive data, install backdoors, or use the system as a launching point for further attacks within the network. The Intezer report referenced in the brief highlights the use of this technique by the Orbit malware, demonstrating its real-world impact. The targeted sectors can be broad, depending on the attacker's objectives, and can include any organization relying on Linux systems for critical infrastructure or sensitive data storage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the &quot;Dynamic Linker Copy and Shared Object Creation&quot; Sigma rule to your SIEM to detect suspicious file copy operations and shared object creation activities.</li>
<li>Monitor <code>/etc/ld.so.preload</code> file modifications using a file integrity monitoring (FIM) system and correlate with process creation events related to <code>cp</code>, <code>rsync</code>, and <code>mv</code>.</li>
<li>Enable process monitoring with command-line argument logging to capture the full command executed by processes like <code>cp</code>, <code>rsync</code>, and <code>mv</code>. This will help identify cases where the dynamic linker is being targeted.</li>
<li>Investigate any alerts triggered by the Sigma rule and analyze the involved processes, files, and user accounts to determine if malicious activity is present. Reference the investigation steps in the rule's <code>note</code> field.</li>
<li>Monitor for the creation of shared objects (.so files) in unusual directories and correlate these events with modifications to <code>/etc/ld.so.preload</code>.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>persistence</category><category>linux</category><category>dynamic-linker</category><category>shared-object</category></item></channel></rss>