LinkPro Linux Rootkit Uses eBPF to Hide and Activates via Magic TCP Packets

Steven

LinkPro Linux Rootkit Uses eBPF to Hide and Activates via Magic TCP Packets

Summary

Researchers at Synacktiv uncovered a new GNU/Linux rootkit called LinkPro after investigating an AWS-hosted compromise. Attackers leveraged an exposed Jenkins server (CVE-2024-23897) to deploy a malicious Docker image to multiple Kubernetes clusters. That image delivered several components: a VPN/proxy tool, a Rust downloader (vGet) that fetches an encrypted vShell payload, and the LinkPro rootkit written in Go.

LinkPro uses two eBPF modules — one (“Hide”) to conceal processes and BPF artefacts and another (“Knock”) to implement a magic-packet activation mechanism. If kernel support is missing, the malware falls back to a user-space preload library (libld.so via /etc/ld.so.preload) to hide itself. It supports forward and reverse C2 modes, persistence via systemd, and a range of remote commands including spawning shells, file operations and SOCKS5 tunnelling.

Key Points

  1. Discovery: Synacktiv linked the intrusion to an exploited Jenkins server (CVE-2024-23897) and a removed malicious Docker Hub image (kvlnt/vv).
  2. Multi-component drop: the attack deployed a VPN/proxy binary, a Rust downloader (vGet) that retrieves vShell, additional droppers, and the LinkPro Go rootkit.
  3. eBPF usage: LinkPro installs two eBPF modules — “Hide” (tracepoint & kretprobe) for stealth and “Knock” (XDP & TC) to detect a magic TCP packet and gate activation.
  4. Magic packet: the activation packet is a TCP packet with a window size of 54321; once received, the attacker gets a one‑hour window to interact from the packet source IP.
  5. Port manoeuvre: the Knock module rewrites packet headers so operators can reach LinkPro via any front-end firewall‑allowed port, complicating log correlation.
  6. Fallback concealment: if required kernel features are absent, LinkPro installs libld.so via /etc/ld.so.preload to hook libc calls and hide artefacts in user space.
  7. Capabilities: reverse/forward C2 (HTTP, WebSocket, UDP, TCP, DNS), executing pseudo‑TTY shells, file enumeration/transfer, and setting up SOCKS5 proxies.
  8. Persistence and cleanup: establishes a systemd service for persistence and removes eBPF modules/libld on termination signals to reduce forensic traces.

Why should I read this?

Short answer: if you run Linux servers, containers or Kubernetes, this one matters. The rootkit uses modern kernel features (eBPF) for stealth and a neat magic‑packet trick to hide operator access behind permitted firewall traffic — which makes detection and log correlation a real headache. Read this to know what to look for and avoid being surprised.

Context and Relevance

LinkPro showcases an evolving trend: threat actors combining eBPF for powerful kernel‑level stealth with container supply-chain and CI/CD compromises to gain widespread access. The use of a Jenkins exploit and a malicious Docker image highlights persistent CI/CD and container image supply risks. Defenders should review kernel config requirements (e.g. CONFIG_BPF_KPROBE_OVERRIDE), monitor for unusual eBPF program installs, audit /etc/ld.so.preload changes, and tighten exposed CI/CD endpoints and image provenance controls.

Author style

Punchy: This is high‑impact stuff — a stealthy rootkit weaponising eBPF and a clever TCP magic‑packet activation. If you manage cloud workloads or Kubernetes clusters, treat this as essential reading and check your Jenkins, image pipelines and kernel/eBPF telemetry now.

Source

Source: https://thehackernews.com/2025/10/linkpro-linux-rootkit-uses-ebpf-to-hide.html