It also deploys a Pluggable Authentication Module (PAM) backdoor to harvest credentials, and gathers extensive system information, including clipboard contents, SSH keys, and browser profiles.QLNX contains two PAM backdoor implementations: the first harvests plaintext credentials from authentication events, contains a master password bypass, and logs outbound SSH session data; the second loads into dynamically linked processes to extract the service name, username, and authentication token.The malware contains a two-tier rootkit architecture, deploying userspace hooks through the LD_PRELOAD shared library, which also enables persistence, along with an eBPF rootkit controller that manages kernel-level BPF maps.“This component does not contain the kernel-side eBPF program itself. Its role is limited to creating and managing BPF maps — kernel data structures designed to hold the list of items that should be hidden from the system. Upon receiving instructions from the C&C server, the implant leverages the Linux kernel’s BPF subsystem to conceal processes, files, and network ports from standard userland tools,” Trend Micro explains.QLNX can achieve persistence in six different ways, using crontab entries, desktop entries, init scripts, service files, and shell lines, based on commands received from the operator, and can deploy several methods on the same system.The malware supports 58 distinct commands, allowing attackers to interact with shells, enumerate and manipulate files and processes, create directories, download and upload files, reboot or shut down the system, open URLs, display notifications, open TCP sockets, harvest sensitive information, capture the screen, log keystrokes, and use SSH credentials to execute commands on remote hosts.“The QLNX implant was built for long-term stealth and credential theft. What makes it particularly dangerous is not any single feature, but how its capabilities chain together into a coherent attack workflow: arrive, erase from disk, persist through six redundant mechanisms, hide at both userspace and kernel level, and then harvest the credentials that matter most,” Trend Micro notes.Related:Exploitation of ‘Copy Fail’ Linux Vulnerability BeginsRelated:Dozens of Open VSX Extension Clones Linked to GlassWorm MalwareRelated:New ‘SSHStalker’ Linux Botnet Uses Old TechniquesRelated:Checkmarx Confirms Data Stolen in Supply Chain Attack
QLNX contains two PAM backdoor implementations: the first harvests plaintext credentials from authentication events, contains a master password bypass, and logs outbound SSH session data; the second loads into dynamically linked processes to extract the service name, username, and authentication token.The malware contains a two-tier rootkit architecture, deploying userspace hooks through the LD_PRELOAD shared library, which also enables persistence, along with an eBPF rootkit controller that manages kernel-level BPF maps.“This component does not contain the kernel-side eBPF program itself. Its role is limited to creating and managing BPF maps — kernel data structures designed to hold the list of items that should be hidden from the system. Upon receiving instructions from the C&C server, the implant leverages the Linux kernel’s BPF subsystem to conceal processes, files, and network ports from standard userland tools,” Trend Micro explains.QLNX can achieve persistence in six different ways, using crontab entries, desktop entries, init scripts, service files, and shell lines, based on commands received from the operator, and can deploy several methods on the same system.The malware supports 58 distinct commands, allowing attackers to interact with shells, enumerate and manipulate files and processes, create directories, download and upload files, reboot or shut down the system, open URLs, display notifications, open TCP sockets, harvest sensitive information, capture the screen, log keystrokes, and use SSH credentials to execute commands on remote hosts.“The QLNX implant was built for long-term stealth and credential theft. What makes it particularly dangerous is not any single feature, but how its capabilities chain together into a coherent attack workflow: arrive, erase from disk, persist through six redundant mechanisms, hide at both userspace and kernel level, and then harvest the credentials that matter most,” Trend Micro notes.Related:Exploitation of ‘Copy Fail’ Linux Vulnerability BeginsRelated:Dozens of Open VSX Extension Clones Linked to GlassWorm MalwareRelated:New ‘SSHStalker’ Linux Botnet Uses Old TechniquesRelated:Checkmarx Confirms Data Stolen in Supply Chain Attack
The malware contains a two-tier rootkit architecture, deploying userspace hooks through the LD_PRELOAD shared library, which also enables persistence, along with an eBPF rootkit controller that manages kernel-level BPF maps.“This component does not contain the kernel-side eBPF program itself. Its role is limited to creating and managing BPF maps — kernel data structures designed to hold the list of items that should be hidden from the system. Upon receiving instructions from the C&C server, the implant leverages the Linux kernel’s BPF subsystem to conceal processes, files, and network ports from standard userland tools,” Trend Micro explains.QLNX can achieve persistence in six different ways, using crontab entries, desktop entries, init scripts, service files, and shell lines, based on commands received from the operator, and can deploy several methods on the same system.The malware supports 58 distinct commands, allowing attackers to interact with shells, enumerate and manipulate files and processes, create directories, download and upload files, reboot or shut down the system, open URLs, display notifications, open TCP sockets, harvest sensitive information, capture the screen, log keystrokes, and use SSH credentials to execute commands on remote hosts.“The QLNX implant was built for long-term stealth and credential theft. What makes it particularly dangerous is not any single feature, but how its capabilities chain together into a coherent attack workflow: arrive, erase from disk, persist through six redundant mechanisms, hide at both userspace and kernel level, and then harvest the credentials that matter most,” Trend Micro notes.Related:Exploitation of ‘Copy Fail’ Linux Vulnerability BeginsRelated:Dozens of Open VSX Extension Clones Linked to GlassWorm MalwareRelated:New ‘SSHStalker’ Linux Botnet Uses Old TechniquesRelated:Checkmarx Confirms Data Stolen in Supply Chain Attack
“This component does not contain the kernel-side eBPF program itself. Its role is limited to creating and managing BPF maps — kernel data structures designed to hold the list of items that should be hidden from the system. Upon receiving instructions from the C&C server, the implant leverages the Linux kernel’s BPF subsystem to conceal processes, files, and network ports from standard userland tools,” Trend Micro explains.QLNX can achieve persistence in six different ways, using crontab entries, desktop entries, init scripts, service files, and shell lines, based on commands received from the operator, and can deploy several methods on the same system.The malware supports 58 distinct commands, allowing attackers to interact with shells, enumerate and manipulate files and processes, create directories, download and upload files, reboot or shut down the system, open URLs, display notifications, open TCP sockets, harvest sensitive information, capture the screen, log keystrokes, and use SSH credentials to execute commands on remote hosts.“The QLNX implant was built for long-term stealth and credential theft. What makes it particularly dangerous is not any single feature, but how its capabilities chain together into a coherent attack workflow: arrive, erase from disk, persist through six redundant mechanisms, hide at both userspace and kernel level, and then harvest the credentials that matter most,” Trend Micro notes.Related:Exploitation of ‘Copy Fail’ Linux Vulnerability BeginsRelated:Dozens of Open VSX Extension Clones Linked to GlassWorm MalwareRelated:New ‘SSHStalker’ Linux Botnet Uses Old TechniquesRelated:Checkmarx Confirms Data Stolen in Supply Chain Attack
QLNX can achieve persistence in six different ways, using crontab entries, desktop entries, init scripts, service files, and shell lines, based on commands received from the operator, and can deploy several methods on the same system.The malware supports 58 distinct commands, allowing attackers to interact with shells, enumerate and manipulate files and processes, create directories, download and upload files, reboot or shut down the system, open URLs, display notifications, open TCP sockets, harvest sensitive information, capture the screen, log keystrokes, and use SSH credentials to execute commands on remote hosts.“The QLNX implant was built for long-term stealth and credential theft. What makes it particularly dangerous is not any single feature, but how its capabilities chain together into a coherent attack workflow: arrive, erase from disk, persist through six redundant mechanisms, hide at both userspace and kernel level, and then harvest the credentials that matter most,” Trend Micro notes.Related:Exploitation of ‘Copy Fail’ Linux Vulnerability BeginsRelated:Dozens of Open VSX Extension Clones Linked to GlassWorm MalwareRelated:New ‘SSHStalker’ Linux Botnet Uses Old TechniquesRelated:Checkmarx Confirms Data Stolen in Supply Chain Attack
The malware supports 58 distinct commands, allowing attackers to interact with shells, enumerate and manipulate files and processes, create directories, download and upload files, reboot or shut down the system, open URLs, display notifications, open TCP sockets, harvest sensitive information, capture the screen, log keystrokes, and use SSH credentials to execute commands on remote hosts.“The QLNX implant was built for long-term stealth and credential theft. What makes it particularly dangerous is not any single feature, but how its capabilities chain together into a coherent attack workflow: arrive, erase from disk, persist through six redundant mechanisms, hide at both userspace and kernel level, and then harvest the credentials that matter most,” Trend Micro notes.Related:Exploitation of ‘Copy Fail’ Linux Vulnerability BeginsRelated:Dozens of Open VSX Extension Clones Linked to GlassWorm MalwareRelated:New ‘SSHStalker’ Linux Botnet Uses Old TechniquesRelated:Checkmarx Confirms Data Stolen in Supply Chain Attack
“The QLNX implant was built for long-term stealth and credential theft. What makes it particularly dangerous is not any single feature, but how its capabilities chain together into a coherent attack workflow: arrive, erase from disk, persist through six redundant mechanisms, hide at both userspace and kernel level, and then harvest the credentials that matter most,” Trend Micro notes.Related:Exploitation of ‘Copy Fail’ Linux Vulnerability BeginsRelated:Dozens of Open VSX Extension Clones Linked to GlassWorm MalwareRelated:New ‘SSHStalker’ Linux Botnet Uses Old TechniquesRelated:Checkmarx Confirms Data Stolen in Supply Chain Attack
Related:Exploitation of ‘Copy Fail’ Linux Vulnerability BeginsRelated:Dozens of Open VSX Extension Clones Linked to GlassWorm MalwareRelated:New ‘SSHStalker’ Linux Botnet Uses Old TechniquesRelated:Checkmarx Confirms Data Stolen in Supply Chain Attack
Related:Dozens of Open VSX Extension Clones Linked to GlassWorm MalwareRelated:New ‘SSHStalker’ Linux Botnet Uses Old TechniquesRelated:Checkmarx Confirms Data Stolen in Supply Chain Attack
Related:New ‘SSHStalker’ Linux Botnet Uses Old TechniquesRelated:Checkmarx Confirms Data Stolen in Supply Chain Attack
Source: SecurityWeek
