Deep Dive Into a Linux Rootkit Malware

Jan. 14, 2025, 8:46 a.m.

Description

This analysis examines a Linux rootkit malware deployed by remote attackers on a compromised CentOS system. The malware consists of a kernel module (sysinitd.ko) and a user-space binary (sysinitd). The kernel module hijacks inbound network traffic using a Netfilter hook, creates procfs entries for communication, and starts the user-space process. The user-space component disguises itself as 'bash' and enables remote command execution with root privileges. The attackers use a special 'attack-init' packet to initiate communication and can send encrypted commands to control the system. The analysis details the malware's initialization, network interception, data exchange mechanisms, and command execution process.

External References

https://www.fortinet.com/blog/threat-research/deep-dive-into-a-linux-rootkit-malware
https://otx.alienvault.com/pulse/67860f4e42a768eabc13903e
Tags
linux
rootkit
persistence
remote access
2025-01-14
netfilter
sysinitd.ko
sysinitd
procfs
kernel module
command execution

Date

  • Created: Jan. 14, 2025, 7:16 a.m.
  • Published: Jan. 14, 2025, 7:16 a.m.
  • Modified: Jan. 14, 2025, 8:46 a.m.

Indicators

  • d57a2cac394a778e19ce9b926f2e0a71936510798f30d20f207f2a49b49ce7b1
  • 8d016d02f8fbe25dce76481a90dd0b48630ce9e74e8c31ba007cf133e48b8526
  • 6edd7b3123de985846a805931ca8ee5f6f7ed7b160144aa0e066967bc7c0423a
Download all indicators here!

Attack Patterns

  • sysinitd
  • sysinitd.ko