Intezer Labs has identified OrBit malware targeting Linux computers. This virus is difficult to detect by antivirus tools, so it is almost impossible to detect.
OrBit infects processes running on the system and steals sensitive data. Intezer Labs specialists explained how OrBit works: this virus changes the LD_PRELOAD environment variable, intercepts function calls and manages library loading, which allows it to intercept terminals entered on the command and collect logins and passwords from computer systems. Hackers can access this data remotely via a compromised SSH connection.
OrBit has one feature that distinguishes it from other viruses and makes it almost invulnerable. This malware stores stolen sensitive data on the device itself, which means that security tools do not detect the leakage of this data to a third-party server. In addition, it connects to itself many libraries, due to which it is perceived as part of the system, closely related to its functions.
The developers of antivirus tools have only recently become aware of the existence of OrBit, so it can only be detected by some antiviruses with the most recent databases. Experts noted that recently, cybercriminals have begun to pay much more attention to Linux. For example, a few weeks ago, the Symbiote virus was discovered, which also uses the LD_PRELOAD environment variable to infect and attack. In addition, the BPFDoor virus (known under various names) was found, which camouflaged itself so well that for about five years it eluded the attention of information security experts and all this time was not detected by security systems.