Like it’s namesake, Umbreon keeps to the shadows. After its initial installation,Umbreon creates a hidden user account that the attacker can use to access the device via SSH.
This rootkit is designed to attack a wide range of devices. It has the ability to infiltrated Linux installs on x86, x86-64 and ARM architectures. It can even be installed on embedded systems, like routers.
Trend Micro warns that Umbreon is a ring 3 rootkit. The bulletin defines ring3 as follows:
A ring 3 rootkit (or usermode rootkit) does not install kernel objects onto the system, but hooks functions from core libraries that are used by programs as interfaces to system calls that run important operations in a system such as reading/writing files, spawning processes, or sending packets over the network. It is perfectly possible to spy on and change the way things are done within an operating system, even from user mode.
In this particular case, Umbreon masquerades as the glibc (GNU C Library). In fact, it rewrites the loader library to make sure that the rootkit libraries are accessed when a program calls for libraries in libc.
This new rootkit has been making the rounds on the cybercriminal sites, especially in the Dark Web. It has been in development since 2015, but the creator has been active since 2013.
Trend Micro stated that the rootkit has to be installed manually and afterward a hacker can take control of the Linux device even remotely.
They say that it is possible to remove the rootkit, but an inexperienced user could possible damages their device if they attempted to remove it.
While frequent patches should keep desktop Linux installs safe, there are thousands of embedded systems that are still vulnerable this rootkit. This is one fact that makes me nervous about Internet-linked devices.