A recently uncovered Linux rootkit known as LinkPro is raising concern across the information security community for its sophisticated use of extended Berkeley Packet Filter (eBPF) modules and stealth activation via “magic packets.” Designed to evade detection and enable covert control, LinkPro operates as an advanced persistent threat (APT) targeting GNU/Linux systems, revealing new layers of risk tied to kernel-level exploitation.
LinkPro Rootkit Leverages CVE-2024-23897 and eBPF to Achieve Deep Stealth
LinkPro was first identified by Synacktiv during an incident response investigation into a compromised AWS-hosted environment. The attackers gained an initial foothold by exploiting CVE-2024-23897, a critical vulnerability in Jenkins that enables unauthenticated file reads from the Jenkins controller via improper command-line parsing behavior.
After gaining access, the attackers deployed a malicious Docker image, `kvlnt/vv`, built on Kali Linux and containing several crucial components:
- `start.sh`: Bootstraps persistence by launching an SSH server and two executables.
- `link`: Connects to a remote VPN endpoint (`vnt.wherewego.top:29872`), turning the compromised host into a proxy for attacker operations.
- `app`: Downloads and executes an encrypted payload from an S3 bucket in memory. In observed cases, this was a vShell 4.9.3 backdoor using WebSocket for command-and-control (C2).
This sequence of actions across Kubernetes clusters laid the groundwork for the final payload: the LinkPro rootkit.
Dual-Mode Operation Enables Covert and On-Demand Access
Built with Golang, LinkPro operates in two distinct modes, allowing flexibility in attacker strategy:
- Forward Mode (Active) : Immediately initiates outbound communication with the C2 infrastructure.
- Reverse Mode (Passive) : Awaits specific “magic” TCP packets before activating.
The magic packet—a TCP packet with a window size of exactly 54321—activates LinkPro’s listener and gives the attacker a 60-minute window to issue commands to a designated port. This mode ensures that the rootkit remains silent and hidden from intrusion detection systems unless purposefully awakened.
This behavior resembles that of the Syslogk rootkit, previously reported by ZeroSecurity and Infosecurity Magazine. Syslogk also leverages magic packets to minimize its exposure window, activating a covert kernel module only upon receiving a specially crafted TCP packet. Although Syslogk implements these features through traditional kernel driver mechanisms, LinkPro’s use of eBPF significantly enhances its concealment.
eBPF Abuse Demonstrates the Expanding Threat to Linux Kernel Security
eBPF, a powerful kernel feature designed to enable safe runtime extension and observability in Linux systems, plays a central role in LinkPro’s stealth capabilities. LinkPro uses two eBPF modules:
- Hide Module : Conceals the rootkit’s activity at the kernel level, including processes and network communications.
- Knock Module (deployed in reverse mode): Monitors incoming traffic for the magic TCP packet to initiate activation.
If the eBPF Hide module fails to load—due to permission issues or kernel configuration—LinkPro falls back to a user-space evasion mechanism by modifying `/etc/ld.so.preload`. This allows it to inject a malicious library that hides its artifacts via shared object manipulation at runtime.
According to LinuxSecurity, while eBPF can enhance system visibility for defense tools, attackers now exploit the same features for malicious purposes. Operating in trusted kernel space, eBPF-based malware like LinkPro bypasses typical endpoint detection and response (EDR) solutions that focus on user-space activity. This marks a growing concern for defenders, as traditional visibility and forensics tools often do not monitor eBPF-related changes.
Exploitation of Jenkins CVE-2024-23897 was the Entry Point
Splunk provided detailed insights into CVE-2024-23897, the vulnerability that enabled LinkPro’s deployment. The flaw arises from Jenkins’ Command Line Interface (CLI), which misinterprets the `@` character followed by a path as a directive to read the corresponding file. This logic flaw allows unauthenticated attackers to access arbitrary files from the Jenkins controller file system—potentially revealing credentials, tokens, or SSH keys.
Security teams are advised to examine Jenkins logs and look for CLI actions that include `@` prefixes pointing to suspicious paths. Splunk has published detection queries and log analysis strategies to help defenders identify patterns of exploitation for this CVE.
Implications for Linux Defenders and the Need for Kernel-Level Visibility
While LinkPro is currently under focused analysis, its framework illustrates a broader threat trend: the increasing use of Linux kernel features, like eBPF, for sophisticated and stealthy cyberattacks.
“When malicious actors deploy eBPF to bypass standard monitoring, defenders must adapt by monitoring kernel activity directly as part of their detection posture,” notes LinuxSecurity.
Recent advisories from the Cybersecurity and Infrastructure Security Agency (CISA) also emphasize the importance of frequent patching and proactive monitoring in Linux environments. Although the bulletins do not mention LinkPro directly, they underscore mounting concerns within the community about kernel-level exploitation pathways.
Recommendations and Detection Strategies for LinkPro
Enterprises operating Linux-based infrastructure, especially those utilizing Jenkins and Kubernetes environments, should act promptly to assess their exposure and harden defenses. Recommended actions include:
- Patch Jenkins Servers : CVE-2024-23897 has been addressed—ensure all Jenkins instances are updated.
- Audit Docker Images and Kubernetes Pods : Review for unexpected images or containers named `kvlnt/vv` or containing unknown binaries such as `start.sh`, `link`, or `app`.
- Monitor TCP Packet Behavior : Inspect packet flows for unusual TCP window sizes (e.g., 54321) that may signal activation attempts.
- Detect Suspicious eBPF Programs : Use tooling to enumerate and monitor loaded eBPF programs. Be alert to new modules performing traffic inspection or process hiding.
- Inspect `/etc/ld.so.preload` : Flag unauthorized changes, which may indicate a fallback concealment mechanism in place.
Security professionals should recognize that as Linux gains greater traction in production environments, so does its exposure to rootkit-based threats. LinkPro’s use of eBPF and TCP-level activation showcases the evolving techniques adversaries are deploying—and the corresponding need for defenders to think beyond user-space monitoring.
