Friday, December 6, 2024
Homecyber securityDiamorphine Rootkit Exploiting Linux Systems In The Wild

Diamorphine Rootkit Exploiting Linux Systems In The Wild

Published on

SIEM as a Service

Threat actors exploit Linux systems because they are prevalent in organizations that host servers, databases, and other important resources. 

Exploiting vulnerabilities in Linux systems allows attackers to gain access to sensitive data, disrupt services, or deploy malware. 

Besides this, the open-source nature of Linux can sometimes expose the security flaws that hackers can exploit.

- Advertisement - SIEM as a Service

Cybersecurity analysts at Avast recently identified that the Diamorphine rootkit is actively exploiting Linux systems in the wild.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

Diamorphine Rootkit Linux Systems

Code reuse makes it possible to find new viruses more effectively and trace old ones. Diamorphine has become a popular Linux rootkit that may be used in many kernel versions with different architectures.

Another variant, which had not been identified yet, was discovered in March 2024. It pretended to be an x_tables module for kernel 5.19.17. 

Avast analysis showed that Diamorphine has some core attributes, including process hiding, module hiding, root escalation, and other payloads.

A few additions are breaking Diamorphine via xx_tables messages and sending magical packets to run arbitrary OS commands.

xx_tables messages

To test this Diamorphine variant impersonating Netfilter’s x_tables module for kernel 5.19.17, Ubuntu 22.04 (Jammy) is a suitable distribution matching the symbol versions. 

It creates the xx_tables device for user-kernel communication, with the “g” function handling write operations by copying data from userspace via copy_from_user. 

If “exit” is sent, exit_function restores the system and unloads the module. 

New functionality supports IPv4/IPv6 “magic packets” containing encrypted strings like “whitehat.” These packets trigger the execution of arbitrary commands extracted from them after passing netfilter_hook_function checks in nested a,b,c,d,e,f calls.

Here below, we have mentioned all the functions that are performed by the exit_ function:-

  • It destroys the device created by the rootkit.
  • It destroys the struct class that was used for creating the device.
  • Deletes the cdev (character device) that was created.
  • Unregisters the chrdev_region.
  • Unregisters the Netfilter hooks implementing the “magic packets“.
  • Finally, it replaces the pointers with the original functions in the system_calls table.

New undetected Linux kernel rootkits implementing “magic packet” functionality for arbitrary command execution, such as Syslogk, AntiUnhide, Chicken, and this updated Diamorphine variant, continue to be discovered. 

The latest Diamorphine adds a device interface to unload the rootkit module and “magic packet” handling to trigger the execution of any commands on the compromised system. 

Ongoing collaboration aims to provide the highest protection against these stealthy kernel-level threats.

Recommendations

Here below, we have mentioned all the provided recommendations:-

  • Stay vigilant for new kernel rootkits that are utilizing “magic packets” in order to implement remote code execution.
  • Stay up-to-date with new rootkit versions that introduce harmful functionalities such as offload interfaces and packet command triggers.
  • Prefer solid prevention strategy against kernel threats through collaborative security work and advanced detection.
  • Strengthen your systems’ defenses to protect them from hidden kernel-level malware and illegal entry.
  • Establish tough network surveillance and filtering for possible communication using a “magic packet” by a rootkit.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...