This article discusses a critical zero-day exploit affecting CentOS Linux, where attackers gain full remote control of compromised systems through a rootkit and malicious scripts. The analysis details the techniques used by the attackers to hijack network traffic and execute commands. Affected: CentOS Linux
Keypoints :
- Critical vulnerability allows full remote control of CentOS systems.
- Attackers deployed a rootkit (sysinitd.ko) and a user-space binary (sysinitd) via a malicious script (Install.sh).
- Rootkit persistence achieved by modifying system startup files.
- Kernel module hijacks inbound network traffic and communicates with user-space malware.
- Fortinet provides protections against these threats through its antivirus services.
MITRE Techniques :
- T1210 β Exploitation of Remote Services: Attackers exploit vulnerabilities to gain control over the system.
- T1059 β Command and Scripting Interpreter: The attackers utilize shell scripts to execute commands on the compromised system.
- T1071 β Application Layer Protocol: The rootkit communicates over standard protocols to maintain control.
- T1047 β Windows Management Instrumentation: The kernel module uses system calls to interact with user-space processes.
Indicator of Compromise :
- [file hash] 8D016D02F8FBE25DCE76481A90DD0B48630CE9E74E8C31BA007CF133E48B8526 (install.sh)
- [file hash] 6EDD7B3123DE985846A805931CA8EE5F6F7ED7B160144AA0E066967BC7C0423A (sysinitd.ko)
- [file hash] D57A2CAC394A778E19CE9B926F2E0A71936510798F30D20F207F2A49B49CE7B1 (sysinitd)
- Check the article for all found IoCs.
Full Research: https://feeds.fortinet.com/~/910912481/0/fortinet/blog/threat-research~Deep-Dive-Into-a-Linux-Rootkit-Malware