Pokemon Themed ‘Umbreon’ Rootkit Hides In Linux Systems

Trend Micro cyber security researchers have uncovered a Pokemon themed malicious rootkit that targets Linux systems, including embedded systems such as Raspberry Pi.

The rootkit, called Umbreon after a Pokemon character that conceals itself in the night, is difficult to detect because it modifies the outputs of common system commands to remove traces of its existence, according to researchers.


“It effectively functions as an in-the-middle attack, modifying both the input and output of system functions,” wrote Trend Micro researcher Fernando Mercês in an advisory. “Users cannot trust the outputs of system commands like ps, ls, top, and pstree (among others).”

Umbreon acts as a library that imitates glibc, Linux’s C library, meaning that only tools that don’t use glibc can detect it, Mercês said.

The rootkit installs a user account which it keeps invisible and which can be accessed by the attacker to pass commands to the system.

The backdoor component that listens for the attacker’s commands is called Espeon, after a Pokemon character with pronounced ears, Trend said.

The firm noted Umbreon is very portable, running on x86, x86-64 and ARM mobile chips, such as those that power Raspberry Pi, due to the fact that it is written in pure C and does not rely on platform-specific code.

Hard to remove

Mercês said Trend has created two tools that can help detect Umbreon, as well as instructions on removing it.

He said because the rootkit operates only at the user level, and doesn’t install root-level components, it is possible to remove it, but doing so may nevertheless be difficult.

“It may be tricky and inexperienced users may break the system and put it into an unrecoverable state,” he wrote.

The popularity of the recent Pokemon GO mobile game has led to the distribution of hundreds of malicious apps that imitate the appearance of the game in order to take over devices.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Google Ordered To Pay $43m By Australian Court

Search engine Google fined $43 million by Australian court for tracking Android users location data…

3 days ago

Hacker Touts Data Sale Of 48.5m Users Of Covid App – Report

Personal data of 48.5 million Chinese citizens who used Shanghai's Covid App, is being offered…

3 days ago

Facebook Tests Default End-to-End Encryption For Messenger

Privacy move. Platform tests secure storage of people's chats on Messenger, in a move sure…

3 days ago

UK’s CMA Begins Probe Of Viasat Acquisition Of Inmarsat

British competition regulator the CMA, begins phase one investigation of $7.3 billion merger between Inmarsat…

3 days ago

Cisco Admits ‘Security Incident’ After Breach Of Corporate Network

Yanluowang ransomware hackers claim credit for compromise of Cisco's corporate network in May, while Cisco…

3 days ago

Google Seeks To Shame Apple Over RCS Refusal

Good luck convincing Tim. Google begins publicity campaign to pressure Aple into adopting the cross…

3 days ago