Threat Research

New Diamorphine rootkit variant seen undetected in the wild – Avast Threat Labs

Cyware

AVAST Threat Labs analyzes code reuse in malware and highlights a new Diamorphine Linux kernel rootkit variant with Netfilter-based covert capabilities and command execution through magic packets. The variant, discovered in early March 2024, demonstrates new payloads such as an xx_tables device for user-kernel communication and the ability to unload itself. #Diamorphine #Netfilter

Keypoints

  • Code reuse is very frequent in malware, especially for parts that are complex to develop or hard to write with a different approach.
  • Diamorphine is a well-known Linux kernel rootkit that hides files and folders and allows the threat actor to perform various operations, including privilege escalation.
  • A new undetected Diamorphine variant was discovered in early March 2024.
  • The new variant impersonates the Netfilter x_tables module to avoid drawing suspicions.
  • The sample creates a device named xx_tables to enable user-space to kernel-space communication and uses a dev_write path to receive commands.
  • It supports magic packets (IPv4 and IPv6) that can contain and execute arbitrary operating system commands.
  • The rootkit can unload itself via an exit_ function, restoring the system and cleaning up kernel resources.

MITRE Techniques

  • [T1564] Hide Artifacts – The rootkit hides files/folders and the kernel module and can hide/unhide processes and perform root privileges. “hide/unhide arbitrary processes, hide/unhide the kernel module, and elevate privileges to become root.”
  • [T1036] Masquerading – Impersonating the Netfilter x_tables module to avoid suspicion. “Impersonating the X_Tables Netfilter module is a clever idea because, this way, registering Netfilter hooks doesn’t raise suspicions, since interacting with Netfilter is an expected behaviour.”
  • [T1059.004] Unix Shell – Executes arbitrary operating system commands via magic packets. “Execute arbitrary operating system commands via magic packets.”
  • [T1068] Privilege Escalation – Elevates privileges to become root. “elevate privileges to become root.”

Indicators of Compromise

  • [Hash] SHA-256 hash – 067194bb1a70e9a3d18a6e4252e9a9c881ace13a6a3b741e9f0ec299451c2090
  • [File name] xx_tables – device/file used for user-space to kernel-space communication
  • [File name] diamorphine.c – rootkit source file referenced (module_hide, hacked_kill, get_syscall_table_bf, find_task, is_invisible, module_show)
  • [File name] diamorphine.mod.c – related module source file
  • [URL] VirusTotal file page – https://www.virustotal.com/gui/file/067194bb1a70e9a3d18a6e4252e9a9c881ace13a6a3b741e9f0ec299451c2090
  • [URL] IoC repository – https://github.com/avast/ioc/tree/master/Diamorphine

Read more: https://decoded.avast.io/davidalvarez/new-diamorphine-rootkit-variant-seen-undetected-in-the-wild

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint