Full Report
An investigation into the compromise of an Amazon Web Services (AWS)-hosted infrastructure has led to the discovery of a new GNU/Linux rootkit dubbed LinkPro, according to findings from Synacktiv. "This backdoor features functionalities relying on the installation of two eBPF [extended Berkeley Packet Filter] modules, on the one hand to conceal itself, and on the other hand to be remotely
Analysis Summary
# Tool/Technique: LinkPro Linux Rootkit
## Overview
LinkPro is a newly discovered GNU/Linux rootkit found during the investigation of an Amazon Web Services (AWS)-hosted infrastructure compromise. Its primary function is to establish persistence, hide its presence and related malicious activity (processes/network traffic), and receive remote commands, leveraging eBPF technology for stealth.
## Technical Details
- Type: Malware (Rootkit)
- Platform: GNU/Linux, targeted Kubernetes clusters
- Capabilities: Process and network hiding via eBPF, remote activation via specific TCP packets, persistence via systemd service, C2 communication relaying via embedded VPN/proxy components.
- First Seen: Research reported Oct 16, 2025
## MITRE ATT&CK Mapping
This summary focuses on the observed behaviors associated with the LinkPro rootkit:
- **TA0003 - Persistence**
- T1543.003 - Create or Modify System Process: Systemd Service
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1070.006 - Indicator Removal on Host: File Deletion
- T1218 - Signed Binary Proxy Execution (Via use of system binaries or shared library manipulation)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP/WebSocket)
- T1071.004 - Application Layer Protocol: DNS
- T1105 - Ingress Tool Transfer (via vGet downloader)
*(Note: Direct eBPF manipulation for hiding is highly specific and may fall under T1027 or T1020 - Automated Collection, depending on the specific kernel hooks used, but is functionally a sophisticated defense evasion method.)*
## Functionality
### Core Capabilities
- **Stealth Implementation:** Installs an eBPF "Hide" module using Tracepoint and Kretprobe programs to conceal its running processes and network communications from standard enumeration tools.
- **Persistence:** Establishes persistence through the creation or modification of a systemd service.
- **Artifact Hiding:** Modifies `/etc/ld.so.preload` to load `libld.so`. This library hooks libc functions to manipulate the output of system calls, preventing tools like `ls` from revealing the rootkit's files.
- **Remote Activation:** Can be configured to only activate/listen for C2 commands upon receiving a specially crafted "magic packet" (TCP packet with Window Size value of 54321).
### Advanced Features
- **Dual Operational Modes:**
* **Reverse Mode (Passive):** Only listens for commands from the C2 server after receiving the magic packet. Communication is restricted to **HTTP**. It installs the eBPF "Knock" module (using XDP and TC BPF programs) to monitor for the magic packet.
* **Forward Mode (Active):** Initiates contact with the C2 server proactively. Supports multiple protocols: HTTP, WebSocket, UDP, TCP, and DNS.
- **Payload Delivery Chain:** In the observed infection chain, it downloads an encrypted VShell payload from an S3 bucket via a Rust-based downloader (`vGet`), which then communicates with its own C2.
- **Interruption Handling:** Upon receiving interruption signals (SIGHUP, SIGINT, SIGTERM), the rootkit attempts to be self-cleaning by uninstalling the eBPF modules and restoring the original `/etc/ld.so.preload`.
- **Proxy Relay:** The initial stage of infection included deploying VNT (a VPN server) to allow attackers to proxy connections to other servers.
## Indicators of Compromise
As IoCs provided in the context are historical or part of the chain *leading* to LinkPro execution (like the Docker image and previous stage C2s), the following primary IoCs are focused on the described LinkPro activity:
- File Hashes: [Not specified in the provided text.]
- File Names: `libld.so`, `start.sh` (within the initial Docker image context), `app` (downloader).
- Registry Keys: [Not applicable for typical Linux rootkit context, persistence is file/service-based.]
- Network Indicators:
* C2 IP: `56.155.98[.]37` (Communicates over WebSocket)
* Initial VNT C2: `vnt.wherewego[.]top:29872` (Used for initial proxy setup from the Docker image)
- Behavioral Indicators:
* Systemd service creation/modification for persistence.
* Modification of `/etc/ld.so.preload`.
* **Network Trigger:** Receipt of TCP packets with a Window Size of `54321`.
* eBPF module loading (Tracepoint, Kretprobe, XDP, TC types).
## Associated Threat Actors
- The specific threat actor utilizing LinkPro is not named, but the infection stemmed from exploiting CVE-2024–23897 on a Jenkins server, leading to the deployment of the malicious Docker Hub image `kvlnt/vv`.
## Detection Methods
- Signature-based detection: Primarily focused on the unique structure of the eBPF modules or the known C2 IP/domains.
- Behavioral detection: Monitoring modification of `/etc/ld.so.preload`, installation of systemd services unrelated to legitimate system updates, and unusual use of eBPF hooks (especially Kretprobe/Tracepoint) for hiding activity. Specific detection for TCP packets with Window Size 54321.
- YARA rules: Could be created for the Go-compiled rootkit files or the embedded `libld.so`.
## Mitigation Strategies
- **Vulnerability Management:** Patching high-severity vulnerabilities like CVE-2024–23897 immediately.
- **Container Security:** Implement strict scanning and provenance checks for artifacts pulled from container registries (e.g., Docker Hub). Prevent containers from running as root or with privileged capabilities if not strictly necessary.
- **Kernel Monitoring:** Advanced EDR or kernel monitoring solutions capable of detecting the loading of custom eBPF modules or suspicious kernel function hooking (T1027).
- **Network Monitoring:** Configure ingress monitoring to alert on anomalous TCP packets, specifically those attempting to manipulate the TCP window size field to a proprietary value like 54321.
- **Principle of Least Privilege:** Regularly audit systemd services and ensure that only authorized modifications are made to critical configuration files like `/etc/ld.so.preload`.
## Related Tools/Techniques
- **VShell Payload:** Related to other malware delivered via malicious infrastructure compromises.
- **eBPF Rootkits:** Similar in concept to previous eBPF-based malware like BPFDoor.
- **LD_PRELOAD Hooking:** Classic defense evasion technique, similar to how older variants of Stuxnet or various Linux backdoors operated by exploiting `LD_PRELOAD`.