Deep Dive Into a Linux Rootkit Malware

    Tuesday, January 14, 2025 In: Threat Research Print

    Date: 01/14/2025

    Severity: High

    Summary

    In this analysis, we examined the rootkit malware in detail. We first described how the kernel module establishes a Netfilter hook function on NF_INET_PRE_ROUTING to intercept incoming TCP traffic directed to the compromised system. We then detailed the tasks performed by the Netfilter hook function, including processing attacker-initiated packets and response packet formats, invoking the user-space file, and facilitating data exchange between the user-space process and the kernel module.

    Indicators of Compromise (IOC) List 

    Hash :

    8D016D02F8FBE25DCE76481A90DD0B48630CE9E74E8C31BA007CF133E48B8526 6EDD7B3123DE985846A805931CA8EE5F6F7ED7B160144AA0E066967BC7C0423A

D57A2CAC394A778E19CE9B926F2E0A71936510798F30D20F207F2A49B49CE7B1

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Hash :

    SHA256Hash IN ("8D016D02F8FBE25DCE76481A90DD0B48630CE9E74E8C31BA007CF133E48B8526","6EDD7B3123DE985846A805931CA8EE5F6F7ED7B160144AA0E066967BC7C0423A","D57A2CAC394A778E19CE9B926F2E0A71936510798F30D20F207F2A49B49CE7B1")

    Reference:   

    https://www.fortinet.com/blog/threat-research/deep-dive-into-a-linux-rootkit-malware 


    Tags

    MalwareRootkit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.