LinkPro eBPF Rootkit Deployment in AWS and Linux Environments
A sophisticated cyberattack targeted AWS-hosted infrastructure, specifically exploiting a vulnerable Jenkins server to gain initial access. The attackers leveraged CVE-2024-238976 to move laterally into AWS Elastic Kubernetes Service (EKS) clusters, where they deployed a malicious Docker image named kvlnt/vv. This image contained a Rust-based downloader, vGet, which was used to retrieve an encrypted vShell backdoor payload from an Amazon S3 bucket. The threat actors achieved persistence and escalated privileges by exploiting container escape vulnerabilities, particularly through host filesystem mounts. Once inside the environment, the attackers installed the LinkPro rootkit, a Golang-based malware designed for GNU/Linux systems. LinkPro embeds four ELF binaries, including two eBPF modules called 'Hide' and 'Knock', a shared library (libld.so), and an unused kernel module (arp_diag.ko). The Hide module uses tracepoint and kretprobe hooks on getdents and sys_bpf to conceal files, processes, and its own BPF maps, effectively evading detection by tools such as bpftool. The Knock module listens for specially crafted TCP 'magic packets' (SYN packets with a window size of 54321) to activate its command and control (C2) listener, redirecting traffic to a hidden port (2233) and bypassing firewalls and log monitoring. If eBPF is unavailable due to kernel restrictions, LinkPro falls back to using the LD_PRELOAD technique, installing a malicious shared library to hook libc functions and hide its presence in user space. Persistence is further maintained by masquerading as systemd-resolved, creating deceptive files and unit configurations to blend in with legitimate system processes. Once operational, LinkPro provides attackers with full remote shell access, file manipulation capabilities, SOCKS5 proxy tunneling, and DNS/HTTP-based C2 communications. The infection chain demonstrates advanced techniques for both initial compromise and stealthy long-term access, including the use of encrypted payloads, container escape, and kernel-level rootkit functionality. The campaign highlights the growing abuse of eBPF technology by threat actors to evade traditional security controls and maintain covert access to cloud and Linux environments. Indicators of compromise and YARA rules have been published to aid in detection and response. The incident underscores the importance of securing CI/CD pipelines, monitoring for unusual container activity, and hardening Linux kernel configurations against eBPF abuse. No definitive attribution has been made regarding the threat actors behind this campaign. The attack serves as a warning for organizations leveraging cloud-native technologies and underscores the need for robust monitoring and incident response capabilities.
Sources
Related Stories
Linux Cloud Threats: eBPF/io_uring Rootkits and VoidLink Malware Targeting Containers
Security research highlighted a continued shift in attacker tradecraft toward **Linux cloud and container environments**, with stealth-focused malware increasingly abusing modern kernel capabilities. Elastic Security Labs documented the evolution of Linux rootkits from userland hijacking and LKM implants to newer generations that leverage **eBPF** and **io_uring** for stealth and evasion, citing examples including **TripleCross**, **Boopkit**, and **RingReaper**. Separately, reporting on **VoidLink** described a cloud-native malware framework designed to operate inside Linux workloads, detect whether it is running in major cloud providers and in **Docker/Kubernetes**, and adapt its behavior to remain persistent while harvesting sensitive material such as cloud metadata and credentials. Operationally, the same kernel features and observability gaps being leveraged by attackers are also driving defensive tooling improvements. Trail of Bits released *mquire*, an open-source Linux memory forensics tool intended to reduce dependency on external debug symbols by extracting structure and symbol information directly from memory using **BPF Type Format (BTF)** and **Kallsyms** (e.g., `/proc/kallsyms`-style data), then exposing findings through an interactive **SQL** query interface. While *mquire* is not tied to a single named campaign, it is directly relevant to investigating advanced Linux threats (including kernel-level implants and stealthy cloud malware) by enabling more reliable post-compromise analysis of Linux memory dumps across kernel versions.
1 weeks ago
Check Point Uncovers VoidLink Modular Linux Malware Targeting Cloud and Container Environments
Check Point Research reported a newly identified, highly modular Linux malware framework dubbed **VoidLink**, designed for long-term, stealthy control of Linux servers and containerized infrastructure. The framework is described as “cloud-first,” with a professional operator ecosystem that includes a web-based management dashboard and a custom plugin architecture (reported as inspired by Cobalt Strike’s BOF model) that allows capabilities to be added or removed as campaign objectives change. Reporting indicates VoidLink ships with **30+ modules/plugins** spanning reconnaissance, credential theft, privilege escalation, lateral movement, and anti-forensics (including log wiping), and it can adapt its behavior based on the environment to reduce detection risk. VoidLink is positioned as a direct threat to enterprise cloud workloads, with functionality to identify whether an infected host is running in major public cloud providers by querying instance metadata via provider APIs (including **AWS, Azure, GCP, Alibaba Cloud, and Tencent Cloud**, with indications of planned expansion to additional providers). Both accounts emphasize that the breadth and engineering quality are atypical for Linux malware and align more with “professional” threat actor tradecraft, reflecting increased attacker focus on **Linux servers, Kubernetes clusters, and Docker/containerized environments** that underpin modern enterprise deployments.
2 months ago
VoidLink Linux Rootkit Framework Uses Server-Side Kernel Compilation and AI-Assisted Development
**VoidLink** is an emerging Linux malware/rootkit framework targeting cloud environments, described by researchers as a step-change in rootkit portability and development velocity. Reporting attributes the framework to a Chinese-speaking developer and highlights a staged infection chain that starts with a small **Zig** dropper to establish C2, followed by downloading larger components **in-memory** to reduce on-disk artifacts. Analysis notes multiple evasion and environment-awareness features, including checks for major endpoint security products (e.g., **CrowdStrike**, **SentinelOne**, **Carbon Black**) and behavior changes when defenses are detected. Check Point Research assessed VoidLink as one of the first clearly evidenced cases of an **advanced AI-generated malware framework**, citing OPSEC failures that exposed development artifacts indicating the malware was authored predominantly via AI under the direction of a single operator. The actor reportedly used a “**Spec Driven Development (SDD)**” approach—having an AI model generate structured plans, specifications, and sprint-like deliverables that were then used as an execution blueprint—enabling rapid iteration to a functional implant in under a week. Technical reporting also emphasizes VoidLink’s use of kernel-level techniques (e.g., **LKM** and **eBPF**) and an architecture designed to overcome Linux kernel version portability constraints, including **server-side kernel compilation** to tailor components to victim environments.
1 months ago