Photo: Jivacore/Shutterstock.com
A new variant of the Diamorphine Linux kernel rootkit demonstrating enhanced evasion techniques and sophisticated functionalities has been detected in the wild, underscoring the evolving threat landscape that targets Linux systems.
Diamorphine has long been a notorious name in the realm of Linux kernel rootkits. Known for its compatibility across a wide range of Linux kernels (from 2.6x to 6x) and processor architectures (x86, x86_64, ARM64), Diamorphine has been a versatile tool for attackers.
It becomes invisible when loaded into the system, concealing files and directories with a user-defined prefix. Additionally, it allows threat actors to hide or unhide processors and modules and escalates privileges to root, providing significant control over compromised systems.
In early March 2024, researchers from Avast stumbled upon an undetected Diamorphine variant. The analysis began with examining the ‘.modinfo’ section, revealing that the variant impersonates the legitimate x_tables Netfilter module and was compiled specifically for Kernel 5.19.17. This strategic disguise helps the rootkit blend in with normal system operations, evading detection by traditional security mechanisms.
One of the standout features that researchers found of this new variant is the ability to stop the rootkit by sending a specific message to a device it creates, named ‘xx_tables’. This device facilitates communication between user space and the kernel, enabling various commands to be executed from user space.
The rootkit also introduces the capability to execute arbitrary operating system commands via “magic packets.” These specially crafted network packets, when sent to the compromised system, trigger the rootkit to perform predefined actions, providing attackers with a powerful remote control mechanism.
Deploying this Diamorphine variant requires a Linux system running Kernel 5.19.17. Researchers identified Ubuntu 22.04 (Jammy Jellyfish) as a suitable target, as symbol versions in this distribution partially matched those found in the new variant. This match was verified using tools like Radare2 and VirusTogal, pointing to a deliberate targeting strategy by the attackers.
“By listing the functions with Radare2, we can notice that the sample under analysis consisted of Diamorphine kernel rootkit (i.e. module_hide, hacked_kill, get_syscall_table_bf, find_task, is_invisible, and module_show). But we can see also additional functions in the module (a, b, c, d, e, f, and setup) indicating that the sample was weaponized with more payloads,” noticed researchers.
To make the rootkit operations appear legitimate, the ‘init_module’ function creates a device named ‘xx_tables,’ following the Unix principle of “everything is a file.” This device structure enables seamless interaction between user and kernel mode, seemingly hiding the rootkit’s malicious intent. The file operations structure linked to this device handles commands, including those for terminating the rootkit.
The function responsible for the ‘dev_write’ operation reads commands from user space via the ‘xx_tables’ device. It utilises the ‘_copy_from_user’ API to securely transfer data securely, ensuring the received data is not empty before processing it. If the command ‘exit’ is received, the rootkit initiates its ‘exit_’ function, which restores the system and removes the rootkit from memory.
The ‘exit_’ function destroys the ‘xx_tables’ device and associated structures, character device, unregisters the character device region and Netfliter hooks, and restores the original system call pointers, erasing traces of the rootkit’s presence.
Researchers found a notable enhancement in this variant, that is, the implementation of magic packets, supporting both IPv4 and IPv6. These packets must contain specific encrypted values to be recognised by the rootkit. Once validated, the rootkit extracts and executes the command within the packet, allowing attackers to control the infected system remotely.
They also found that despite retaining much of the original code, the new Diamorphine variant includes modifications to hide files and directories containing particular strings. This added layer of stealth makes it even more challenging to detect and mitigate.
Threat actors have incorporated device-based control and magic packet functionalities to enhance the rootkit’s stealth and operations capabilities.
Cybersecurity experts have urged users to ensure regular updates, utiles VPNs, and avoid untrusted sources.
In the News: AMD investigates potential cyberattack amid claims of data breach