The leaked source code reveals VoidLink as a multigenerational, hybrid LKM–eBPF Linux rootkit developed with AI-assisted workflows that provides ICMP-based covert C2, delayed initialization, anti-debugging, module masquerading, and memfd-aware boot persistence. The analysis documents eBPF Netlink-buffer “swallowing” to hide ss entries, multiple kernel-targeted hooking strategies across CentOS 7 to kernel 5/6, and operational artifacts tied to Alibaba Cloud infrastructure. #VoidLink #AlibabaCloud
Keypoints
- VoidLink’s kernel subsystem is a hybrid design combining a Loadable Kernel Module (vl_stealth / amd_mem_encrypt) with companion eBPF programs to achieve complementary hiding capabilities (processes, /proc files, netstat, and ss).
- The eBPF component implements a novel Netlink “swallowing” technique that modifies userspace Netlink buffers via bpf_probe_write_user to hide SOCK_DIAG_BY_FAMILY entries from ss.
- Four generations of development were observed: CentOS 7 syscall-table patching, kernel-5.x ftrace/kprobe adaptations, production-ready module parameters and dual Netfilter ICMP hooks, and an “Ultimate Stealth v5” with delayed hooks, anti-debugging timers, and kill protection.
- VoidLink uses an ICMP-based covert command-and-control protocol with XOR-encrypted payloads, runtime key/magic rotation, and operator tooling (icmp_ctl.py) for commands including hide_pid, hide_port, give_root, and destruct.
- Operational evidence (compiled .ko files, memfd-aware load script, and Alibaba Cloud IPs) and code artifacts (phase-numbered refactoring comments, repeated iterative versions) indicate human-in-the-loop development using an LLM-assisted workflow.
- Defensive opportunities include cross-referencing multiple system views (ps vs /proc, ss vs /proc/net/tcp), detecting unexpected ftrace or eBPF programs, monitoring Auditd for module loads, and enforcing Secure Boot/kernel module signing and eBPF restrictions.
MITRE Techniques
- [T1574 ] Hijack Execution Flow – The rootkit redirects kernel execution via syscall table patching and ftrace hooks to intercept functions and syscalls (e.g., ‘sys_call_table[__NR_getdents64] = (unsigned long)hooked_getdents64;’).
- [T1095 ] Non‑Application Layer Protocol – The operator uses an ICMP covert channel (Netfilter hook intercepting Echo Requests) for C2 with XOR-encrypted payloads (‘the rootkit’s Netfilter hook intercepts them before the kernel’s normal ICMP processing can generate a response.’).
- [T1036 ] Masquerading – The module impersonates a legitimate AMD driver by copying module metadata to evade inspection (‘MODULE_AUTHOR(“Advanced Micro Devices, Inc.”); MODULE_DESCRIPTION(“AMD Memory Encryption Support”);’).
- [T1027 ] Obfuscated Files or Information – Simple XOR obfuscation of ICMP payloads and XOR-encrypted/decoded module-name strings to hinder basic string scanning (‘The data field is XOR-encrypted with a single-byte key, 0x42 by default.’).
- [T1070 ] Indicator Removal on Host – The rootkit removes itself from the kernel module list, suppresses kernel log output, and filters sensitive pseudo-files to hide artifacts (‘removing the module from the kernel’s module list’).
- [T1547 ] Boot or Logon Autostart Execution – Boot-time persistence is implemented via load_lkm.sh with a hard-coded module path to ensure module loading at boot (‘hard-codes a path to /root/kernel5x_new/vl_stealth.ko’).
Indicators of Compromise
- [IPv4 ] operator infrastructure – 8.149.128[.]10, 116.62.172[.]147
- [File name ] kernel module and artifacts – vl_stealth.ko, amd_mem_encrypt.ko (and files like hide_ss.bpf.o, icmp_ctl.py)
- [File path ] boot/persistence and BPF map locations – /root/kernel5x_new/vl_stealth.ko, /sys/fs/bpf/vl_hide_tcp, /var/log/vl_boot.log
- [String / module metadata ] masquerade markers – “AMD Memory Encryption Support”, “Advanced Micro Devices, Inc.”
- [BPF map / symbol names ] eBPF artifacts – hidden_ports, recvmsg_ctx (and other maps referenced in hide_ss.bpf.c)
- [Network port ] default hidden port – 8080
- [ICMP / crypto identifiers ] C2 identifiers – 0xC0DE (default ICMP magic), 0x42 (default XOR key)
Read more: https://www.elastic.co/security-labs/illuminating-voidlink