Pokemon Themed ‘Umbreon’ Rootkit Hides In Linux Systems

Trend Micro cyber security researchers have uncovered a Pokemon themed malicious rootkit that targets Linux systems, including embedded systems such as Raspberry Pi.

The rootkit, called Umbreon after a Pokemon character that conceals itself in the night, is difficult to detect because it modifies the outputs of common system commands to remove traces of its existence, according to researchers.

Invisible

“It effectively functions as an in-the-middle attack, modifying both the input and output of system functions,” wrote Trend Micro researcher Fernando Mercês in an advisory. “Users cannot trust the outputs of system commands like ps, ls, top, and pstree (among others).”

Umbreon acts as a library that imitates glibc, Linux’s C library, meaning that only tools that don’t use glibc can detect it, Mercês said.

The rootkit installs a user account which it keeps invisible and which can be accessed by the attacker to pass commands to the system.

The backdoor component that listens for the attacker’s commands is called Espeon, after a Pokemon character with pronounced ears, Trend said.

The firm noted Umbreon is very portable, running on x86, x86-64 and ARM mobile chips, such as those that power Raspberry Pi, due to the fact that it is written in pure C and does not rely on platform-specific code.

Hard to remove

Mercês said Trend has created two tools that can help detect Umbreon, as well as instructions on removing it.

He said because the rootkit operates only at the user level, and doesn’t install root-level components, it is possible to remove it, but doing so may nevertheless be difficult.

“It may be tricky and inexperienced users may break the system and put it into an unrecoverable state,” he wrote.

The popularity of the recent Pokemon GO mobile game has led to the distribution of hundreds of malicious apps that imitate the appearance of the game in order to take over devices.

Are you a security pro? Try our quiz!