Threat actors exploit Linux systems because they are prevalent in organizations that host servers, databases, and other important resources.
Exploiting vulnerabilities in Linux systems allows attackers to gain access to sensitive data, disrupt services, or deploy malware.
Besides this, the open-source nature of Linux can sometimes expose the security flaws that hackers can exploit.
Cybersecurity analysts at Avast recently identified that the Diamorphine rootkit is actively exploiting Linux systems in the wild.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot
Code reuse makes it possible to find new viruses more effectively and trace old ones. Diamorphine has become a popular Linux rootkit that may be used in many kernel versions with different architectures.
Another variant, which had not been identified yet, was discovered in March 2024. It pretended to be an x_tables module for kernel 5.19.17.
Avast analysis showed that Diamorphine has some core attributes, including process hiding, module hiding, root escalation, and other payloads.
A few additions are breaking Diamorphine via xx_tables messages and sending magical packets to run arbitrary OS commands.
To test this Diamorphine variant impersonating Netfilter’s x_tables module for kernel 5.19.17, Ubuntu 22.04 (Jammy) is a suitable distribution matching the symbol versions.
It creates the xx_tables device for user-kernel communication, with the “g” function handling write operations by copying data from userspace via copy_from_user.
If “exit” is sent, exit_function restores the system and unloads the module.
New functionality supports IPv4/IPv6 “magic packets” containing encrypted strings like “whitehat.” These packets trigger the execution of arbitrary commands extracted from them after passing netfilter_hook_function checks in nested a,b,c,d,e,f calls.
Here below, we have mentioned all the functions that are performed by the exit_ function:-
New undetected Linux kernel rootkits implementing “magic packet” functionality for arbitrary command execution, such as Syslogk, AntiUnhide, Chicken, and this updated Diamorphine variant, continue to be discovered.
The latest Diamorphine adds a device interface to unload the rootkit module and “magic packet” handling to trigger the execution of any commands on the compromised system.
Ongoing collaboration aims to provide the highest protection against these stealthy kernel-level threats.
Here below, we have mentioned all the provided recommendations:-
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
Cybersecurity researcher "0xdf" has cracked the "Ghost" challenge on Hack The Box (HTB), a premier…
Google has unveiled Sec-Gemini v1, an AI model designed to redefine cybersecurity operations by empowering…
The United States has successfully extradited two Kosovo nationals, Ardit Kutleshi, 26, and Jetmir Kutleshi,…
Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…
A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…
EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…