Threat Research

Linux Defense Evasion Techniques Detected by AhnLab EDR

Ahnlab

The article reviews Linux defense evasion techniques detected by AhnLab EDR, focusing on how threat actors bypass security controls such as firewalls, Linux security modules, and rootkits. It highlights how AhnLab EDR detects these behaviors and how groups like Watchdog and malware like Kinsing and Diamorphine are involved. hashtags: #Kinsing #Diamorphine

Keypoints

  • Defense evasion on Linux is a focus, with attackers aiming to bypass host-based protections after initial compromise.
  • Firewall bypass: threat actors deactivate host firewalls (e.g., Ubuntu) and remove iptables rules to enable malicious activity.
  • Kinsing CoinMiner is shown deactivating the target’s firewall on Ubuntu, illustrating practical firewall evasion.
  • Linux Security Module deactivation: attackers can disable SELinux and AppArmor and weaken security policies.
  • Rootkit usage: kernel-mode rootkits (e.g., Diamorphine) cloak processes, files, and directories to avoid detection.
  • Diamorphine and Reptile rootkits are cited as examples, with Watchdog described as employing a combination of user-mode rootkits and Diamorphine.
  • AhnLab EDR detects these defense-evasion events (firewall deactivation, LSM deactivation, rootkit installation) to aid incident response and evidence gathering.

MITRE Techniques

  • [T1562.004] Impair Defenses – Disable Firewall – The article notes that Kinsing CoinMiner deactivates the firewall of the target and removes Iptables rules. “Kinsing CoinMiner deactivates the firewall of the target if it is using the Ubuntu environment and removes the Iptables rules.”
  • [T1562.001] Impair Defenses: Disable or Modify Security Tools – Kinsing can deactivate SELinux and AppArmor and also disable security policies that interfere with its malicious behaviors. “Kinsing can deactivate SELinux and AppArmor and also disable security policies that interfere with its malicious behaviors.”
  • [T1014] Rootkit – Rootkits conceal themselves to evade detection; the article describes Diamorphine and Reptile as examples and notes their cloaking capabilities. “Rootkits are malware strains that possess the capability to conceal themselves or other malware types.”

Indicators of Compromise

  • [File name] Kinsing CoinMiner – mentioned as a target’s firewall being deactivated; context: used in Ubuntu environments.
  • [File name] Diamorphine – rootkit referenced as part of the cloaking/rootkit toolkit used by Watchdog; context: kernel/rootkit component.

Read more: https://asec.ahnlab.com/en/66810/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint