Stealth Innovation: LinkPro Linux Rootkit Hides via eBPF and Activates with Magic TCP Packet on Kubernetes Nodes
Synacktiv researchers have documented a novel GNU/Linux rootkit, LinkPro, uncovered during an investigation into an AWS infrastructure compromise. The intrusion began with exploitation of a vulnerable Jenkins server, after which the threat actors deployed a malicious Docker image to Kubernetes clusters. Ultimately, the compromised hosts were seeded with a VShell backdoor and the LinkPro rootkit, which cloaks itself via eBPF and is triggered by a bespoke TCP packet.
The initial foothold was an exposed Jenkins instance afflicted by CVE-2024-23897. Once the attackers gained access to nodes, they launched the Docker image kvlnt/vv—a Kali Linux–based image that contained three components under an app directory: a start.sh script to launch SSH and configure the environment; a binary named link (an open-source vnt tool acting as a VPN-style proxy that connects to vnt.wherewego[.]top:29872); and a loader called app—the Rust tool vGet—which fetches an encrypted VShell payload from S3 and communicates with a command server over WebSocket at 56.155.98[.]37.
Concurrently, a dropper delivered an additional VShell copy and the LinkPro rootkit—implemented in Go—to the Kubernetes nodes. LinkPro operates in two distinct modes: a passive (reverse) mode, in which it awaits an external trigger, and an active (forward) mode, where it initiates outbound connections. In active mode it supports HTTP, WebSocket, UDP, TCP and DNS transports; in passive mode it accepts only HTTP.
Its stealth is driven by an eBPF module named Hide, which monitors system events and conceals processes and network activity. If Hide cannot be installed, LinkPro falls back to a user-space interception technique by writing libld.so into /etc/ld.so.preload to hook system calls. Activation of the passive channel is managed by a second eBPF component, Knock, which leverages XDP and TC.
Knock watches for a “magic” TCP packet characterized by a TCP window size of 54321. Upon receipt, the module records the source IP and grants it an hour of privileged access. During that window, inbound traffic from that IP is redirected to port 2333, where LinkPro listens, while outbound responses are forged to appear as if originating from port 2233. This technique allows the adversary to tunnel through permitted ports and complicates correlation of logs.
For persistence, LinkPro installs a systemd service; upon termination via SIGHUP, SIGINT, or SIGTERM, it gracefully removes its eBPF modules, restores /etc/libld.so, and erases traces. The backdoor can spawn an interactive /bin/bash PTY, execute arbitrary commands, manipulate files and directories, exfiltrate data, and establish a SOCKS5 tunnel. On kernels built with CONFIG_BPF_KPROBE_OVERRIDE, the rootkit further intercepts getdents to hide files and sys_bpf to cloak its eBPF programs.
The fusion of eBPF-based stealth, magic-packet activation, and port masquerading renders LinkPro a formidable adversary against conventional monitoring: externally visible logs often point to an innocuous, permitted service while command-and-control persists over a concealed channel. Defending cloud-native Kubernetes environments therefore demands strict controls over eBPF program loading on nodes, integrity checks of /etc/ld.so.preload, vigilant monitoring of systemd services, and scrutiny for anomalous TCP window values.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
