Advanced eBPF Rootkit LinkPro Evade Detection in Linux Systems via Magic TCP Packets
Overview: LinkPro rootkit targets GNU/Linux systems: LinkPro is a newly discovered Linux rootkit that leverages eBPF (extended Berkeley Packet Filter) technology to stealthily hide its presence on infected systems. The sophisticated Linux rootkit linkpro was uncovered by Synacktiv CSIRT during an investigation of a compromised AWS infrastructure and evade detection in Linux Systems.
This threat was deployed in an AWS environment after attackers exploited a vulnerable Jenkins server to distribute a malicious Docker image containing a Rust downloader that fetched a memory-resident vShell backdoor. This rootkit’s use of eBPF, a legitimate kernel feature, makes detection challenging in Linux as it operates at a low level within the Linux kernel.
Leveraging extended Berkeley Packet Filter (eBPF) technology, where linkpro backdoor evades detection by hiding its processes and network activity, activating remotely via a “magic packet.”
Source: www.synacktiv.com
Issues Details: The attack, originating from a vulnerable Jenkins server, deployed a malicious Docker image across AWS EKS clusters, enabling credential theft and lateral movement. This highlights the misuse of ebpf for advanced persistent threats (apts) in cloud environments.
The LinkPro rootkit targets GNU/Linux systems, exploiting eBPF kernel capabilities to achieve stealth and remote activation.
It embeds multiple ELF modules, including two eBPF programs that hook into critical kernel system calls like getdents and sys_bpf to hide files, processes, and its own presence from detection tools.
If kernel support for these hooks is unavailable, LinkPro falls back to user-space concealment by loading a malicious shared library via /etc/ld.so.preload. This sophisticated rootkit deploys an advanced network packet filtering mechanism, activating only upon receiving a specific “magic packet” (a TCP SYN with a window size of 54321), allowing the attacker to control the system covertly.
LinkPro masquerades as the legitimate systemd-resolved service for persistence and uses encrypted channels such as HTTP, DNS tunneling, and raw TCP/UDP for command and control. Its design enables attackers to execute arbitrary commands, perform file operations, and establish proxy tunnels, making it a highly adaptable and stealthy tool for persistent intrusions targeting cloud-native Linux systems.
Attack Flow
IOCs
| IOC Type | Indicator | Description |
| Network | /api/client/file/download?Path=… | URL used to download tools/payloads onto the compromised host. |
| /reverse/handshake /reverse/heartbeat /reverse/operation | Endpoints the implant calls in reverse mode to receive operator commands. | |
| 18.199.101.111 | Destination IP used by LinkPro in forward (active) mode. | |
| File | /etc/systemd/system/systemd-resolveld.service | Malicious systemd service file named to look like systemd-resolved. |
| /root/.tmp~data.ok | Location/name of the LinkPro binary, disguised as a system file. | |
| /usr/lib/.system/.tmp~data.resolveld | Alternate disguised location for the LinkPro binary. | |
| /etc/libld.so | Malicious library loaded via /etc/ld.so.preload as a fallback concealment method. | |
| Host | Systemd-resolveld | Fake service name intended to be mistaken for systemd-resolved. |
| Conf_map | eBPF map holding the internal port used by the Knock module. | |
| Knock_map | eBPF map containing authorized IP addresses for the Knock module. | |
| Main_ebpf_progs | eBPF map listing programs that the Hide module manages. | |
| Pids_to_hide_map | eBPF map listing process IDs the rootkit hides. | |
| Hashes | D5b2202b7308b25bda8e106552dafb8b6e739ca62287ee33ec77abe4016e698b | Passive linkpro backdoor |
| 1368f3a8a8254feea14af7dc928af6847cab8fcceec4f21e0166843a75e81964 | Active linkpro backdoor | |
| B11a1aa2809708101b0e2067bd40549fac4880522f7086eb15b71bfb322ff5e7 | Ld_Preload module (libld.so) | |
| B8c8f9888a8764df73442ea78393fe12464e160d840c0e7e573f5d9ea226e164 | Hide ebpf module | |
| 364c680f0cab651bb119aa1cd82fefda9384853b1e8f467bcad91c9bdef097d3 | Knock ebpf module | |
| 0da5a7d302ca5bc15341f9350a130ce46e18b7f06ca0ecf4a1c37b4029667dbb | Vget downloader |
Recommendations:
Here are some recommendations below
- Patch the vulnerable Jenkins server (CVE-2024-23897) to prevent initial access.
- Restrict public exposure of CI/CD tools and enforce strict network segmentation.
- Monitor for suspicious Docker container deployments and unexpected host filesystem mounts.
- Watch for unusual or unauthorized eBPF program activity using kernel auditing tools.
- Regularly update Linux kernels and apply available security patches.
Conclusion:
The LinkPro rootkit is anadvanced Linux malware that uses eBPF at the kernel level to stay hidden and persist on systems.
It spreads through Jenkins vulnerabilities, container escapes and remote activation, highlighting the critical vigilance organizations must maintain to continuously monitor and secure their environments.
To protect against it, companies should focus on timely patching and monitoring suspicious activities.
References:
Recent Comments