A new rootkit called LinkPro has been targeting GNU/Linux systems, using eBPF technology to hide malicious activities and evade detection. Discovered in a compromised AWS infrastructure, it spreads via vulnerable Jenkins servers and malicious Docker images. The malware provides attackers with remote access while masquerading as legitimate system components.
The LinkPro rootkit emerged as a sophisticated threat to GNU/Linux systems, leveraging extended Berkeley Packet Filter (eBPF) modules to conceal processes, files, and network activities. SynAcktiv researchers uncovered it during a forensic investigation of a breached AWS-hosted setup, where it acted as a backdoor capable of remote activation through specific TCP magic packets.
The infection typically starts with an exposed Jenkins server vulnerable to CVE-2024-23897. Attackers then deploy a malicious Docker image named kvlnt/vv across Amazon EKS Kubernetes clusters. This image includes a VPN proxy, the vGet downloader malware, and the LinkPro rootkit itself. The container runs with root privileges, granting full filesystem access, enabling escapes to harvest credentials from other pods.
Developed in Golang, LinkPro operates in two modes: a passive reverse mode that listens for commands after detecting a TCP SYN packet with a window size of 54321, and an active forward mode for direct command-and-control links. Its stealth relies on two eBPF modules—the Hide module intercepts system calls like getdents and sys_bpf to obscure files, processes, and eBPF programs, while the Knock module uses XDP and TC for network manipulation, redirecting traffic to an internal port 2233 and rewriting headers to bypass firewalls.
For persistence, LinkPro masquerades as the systemd-resolved service, creating a fake unit file at /etc/systemd/system/systemd-resolved.service and placing its binary at /usr/lib/.system/.tmp~data.resolved with altered timestamps. If kernel support for CONFIG_BPF_KPROBE_OVERRIDE is absent, it falls back to hijacking the dynamic linker via /etc/ld.so.preload.
Once active, it offers interactive shells, file management, SOCKS5 proxying, and Base64-encoded file exfiltration over protocols like HTTP, WebSocket, TCP, UDP, and DNS, all encrypted with XOR. Organizations are advised to monitor suspicious systemd files and eBPF activity for detection.