Linux rootkit with magic knock

LinkPro Linux rootkit (eBPF “magic packet” backdoor)

Synacktiv uncovered LinkPro, a stealthy Linux rootkit used in an AWS compromise. Attackers reportedly exploited a Jenkins CVE-2024-23897 instance, then pushed a malicious Docker image that dropped several payloads, including LinkPro. The rootkit hides itself using eBPF (tracepoint/kretprobe) and user-space tricks via /etc/ld.so.preload, and can be remotely “woken up” by a magic TCP packet (window size 54321). It persists with a systemd service and supports file ops, shell, SOCKS5 proxy and C2 over HTTP/WebSocket/UDP/TCP/DNS. If eBPF isn’t available, it falls back to LD_PRELOAD cloaking.

Ever fancied a rootkit that naps until you tap a secret code on the network? Meet LinkPro—a Golang backdoor that hides with eBPF and only perks up when it sees a “magic” TCP packet. Researchers at Synacktiv spotted it after attackers breached an AWS setup via a Jenkins CVE-2024-23897 hole and spread a poisoned Docker image across Kubernetes nodes. Once in, LinkPro lays low using kernel-level eBPF hooks to conceal processes and network activity. If that fails, it dusts off an old favourite: LD_PRELOAD via /etc/ld.so.preload to hide in user space.
When “knocked”, LinkPro opens a one-hour command window. It can phone home over HTTP/WebSocket/UDP/TCP/DNS, run shell commands, move files and even stand up a SOCKS5 proxy—all while trying not to leave fingerprints. Persistence is handled with systemd, and on shutdown it tidies up after itself like the world’s most considerate burglar.
Why it matters: eBPF-based hiding makes conventional monitoring less reliable, and the “magic packet” lets attackers slip past firewall logging correlations by re-mapping ports on the fly. This isn’t your garden-variety crypto-miner; it’s stealthier and more modular.

What to do:
• Patch Jenkins CVE-2024-23897 and audit any exposed CI/CD.
• Scan Kubernetes nodes for suspicious eBPF programs and /etc/ld.so.preload tampering.
• Restrict outbound connectivity; watch for odd window size 54321 packets and unexpected 2333/2233 port behaviour.
• Baseline with eBPF visibility tools; monitor for systemd services you didn’t approve.

Don’t panic, do inventory, patch the front door, and keep an eye on the chimney.