The Initial Attack Vector
The infection chain began when threat actors exploited a vulnerable Jenkins server (CVE-2024-23897) that was exposed to the internet. Attackers deployed a malicious Docker image named kvlnt/vv across multiple Amazon EKS Kubernetes clusters.
Malicious Docker Image Components
Component 1: VPN Proxy Tool
Used to establish covert communication channels and bypass network restrictions.
Component 2: vGet Downloader
Malware responsible for fetching additional payloads and maintaining persistence.
Component 3: LinkPro Rootkit
The primary threat—an undocumented backdoor written in Golang targeting Linux infrastructure.
The Docker configuration granted full filesystem access with root privileges, enabling container escape and credential harvesting from other pods. SynAcktiv researchers identified LinkPro as an undocumented backdoor written in Golang, representing a previously unknown threat to Linux infrastructure.
Attack Strategy Analysis
The attack demonstrates a multi-stage compromise strategy. The exposed Jenkins server served as the initial entry point, allowing attackers to gain system access and deploy containerized payloads across EKS clusters. This attack pattern reveals how cloud infrastructure misconfigurations can cascade into widespread compromise across containerized environments, particularly when security groups and network policies fail to restrict unauthorized access to development tools like Jenkins.
How LinkPro Operates: Technical Deep Dive
Dual Operation Modes
LinkPro operates in two distinct modes to maximize persistence and evasion:
Passive Reverse Mode
The rootkit listens for commands after receiving a specific TCP magic packet containing a window size of 54321. This allows the malware to remain dormant until activated by attackers.
Active Forward Mode
LinkPro initiates direct command-and-control communication with remote operators, actively reaching out to establish connections.
Advanced Stealth Techniques
The malware employs a sophisticated dual-layer stealth approach utilizing two eBPF modules for concealment, but automatically falls back to hijacking the dynamic linker through /etc/ld.so.preload when kernel configurations lack the required CONFIG_BPF_KPROBE_OVERRIDE option.
Persistence and Concealment Mechanisms
File System Manipulation
Persistence is achieved through a deceptive systemd service unit file created at:
/etc/system/system/systemd-resolveld.serviceThe malicious binary is copied to:
/usr/lib/.system/.tmp~data.resolveldTimestamps are modified to match legitimate system files, making detection through file integrity monitoring extremely difficult.
eBPF Module Capabilities
Hide eBPF Module
Intercepts critical system calls including:
getdents– Hides files and directoriessys_bpf– Conceals eBPF programs from enumeration
Uses tracepoints and kernel return probes to effectively hide files, processes, and its own eBPF programs from standard enumeration tools.
Knock eBPF Module
Demonstrates sophisticated network manipulation capabilities using:
- XDP (eXpress Data Path): High-performance packet processing
- TC (Traffic Control): Packet manipulation and routing
Network Traffic Manipulation Process
- Detection: Monitors for TCP SYN packets with window size
54321 - Registration: Stores source IP in
knock_mapwith one-hour expiration - Redirection:
xdp_ingressrewrites packet headers to redirect traffic to internal port2233 - Response Masking:
tc_egressrewrites outgoing response ports to original values
This creates a seamless tunnel that bypasses firewall rules and network monitoring solutions.
Remote Access Capabilities
Core Functions
- Interactive shell sessions
- File management operations (upload/download/delete)
- SOCKS5 proxy tunneling
- File exfiltration via Base64-encoded chunks
Communication Protocols
- HTTP/HTTPS
- WebSocket
- TCP/UDP
- DNS tunneling
Encryption: All exchanges encrypted using XOR operations to evade detection.
Threat Significance and Impact
Why LinkPro Represents a Major Escalation
The discovery of LinkPro represents a significant escalation in Linux-targeted malware sophistication. The rootkit’s ability to hide at the kernel level using eBPF modules makes traditional host-based detection mechanisms ineffective.
Detection Blind Spots
Organizations relying on standard security tools face substantial challenges:
- File Integrity Monitoring: Bypassed through timestamp manipulation
- Process Enumeration Tools: Defeated by Hide eBPF module
- System Call Auditing: Intercepted at kernel level
- Network Monitoring: Evaded through packet header manipulation
Cloud Infrastructure Vulnerability
The successful compromise of AWS EKS infrastructure demonstrates that even cloud-native environments with managed Kubernetes services remain vulnerable to sophisticated adversaries exploiting misconfigurations and unpatched vulnerabilities.
Detection Strategies
Indicators to Monitor
Detection requires looking beyond conventional indicators. Organizations should monitor for:
Suspicious System Services
Look for systemd service files resembling legitimate system services, particularly typosquatted names like systemd-resolveld (note the missing ‘o’ in resolved).
Unusual eBPF Activity
Monitor for unexpected eBPF program activity through kernel monitoring tools like bpftool and audit logs.
Network Anomalies
Watch for TCP SYN packets with unusual window sizes (particularly 54321) and unexpected traffic redirection patterns.
File Timestamp Irregularities
Investigate file timestamp anomalies on system binaries, especially in system directories like /usr/lib.
Mitigation and Remediation Steps
Immediate Actions Required
Critical Priority
- Patch CVE-2024-23897 on all exposed Jenkins instances immediately
- Audit all running containers for the malicious image
kvlnt/vv - Review and rotate all credentials accessible from compromised pods
High Priority
- Implement strict network segmentation for development tools
- Enforce restrictive container security policies (AppArmor, SELinux, seccomp)
- Conduct forensic analysis of Kubernetes audit logs
- Identify suspicious container deployments or image pulls from untrusted registries
Medium Priority
- Review kernel hardening configurations
- Implement eBPF monitoring and auditing solutions
- Deploy runtime security tools for containers (Falco, Sysdig)
- Establish baseline network traffic patterns
Long-Term Defense Strategy
Organizations operating Linux infrastructure should implement defense-in-depth strategies combining:
- Kernel-Level Monitoring: Deploy tools capable of detecting unauthorized eBPF programs
- Container Runtime Security: Implement behavioral analysis and anomaly detection
- Network-Based Detection: Use packet inspection to identify manipulation attempts
- Continuous Threat Intelligence: Maintain updated detection signatures and IOCs
- Zero Trust Architecture: Minimize implicit trust between system components
Key Insights About the LinkPro Rootkit Threat
Understanding LinkPro is essential for security teams protecting Linux and cloud-native infrastructure. This rootkit represents a new generation of kernel-level malware that exploits eBPF technology—originally designed for legitimate observability and security purposes—to achieve unprecedented stealth and persistence. The attack chain from Jenkins exploitation to EKS cluster compromise demonstrates how interconnected cloud environments amplify the impact of single vulnerabilities. Organizations must evolve beyond traditional detection methods, implementing kernel-aware monitoring, strict container security policies, and defense-in-depth strategies that account for adversaries operating at the lowest levels of the system. The sophistication of LinkPro signals that Linux systems, particularly in cloud environments, face increasingly advanced threats requiring equally sophisticated defensive capabilities.
