Threat Research

Hooked on Linux: Rootkit Taxonomy, Hooking Techniques and Tradecraft — Elastic Security Labs

Elastic.co
Hooked on Linux: Rootkit Taxonomy, Hooking Techniques and Tradecraft — Elastic Security Labs

This first part of a two-part series outlines how Linux rootkits work, covering their taxonomy, evolution (userland SO hooks → LKMs → eBPF → emerging io_uring techniques), and the wide range of kernel- and user-space hooking methods attackers use to hide processes, files, and network activity. It surveys real-world examples, loader/payload models, persistence and privilege-escalation patterns (e.g., Dirty Pipe), and the detection challenges that lead into part two on detection engineering. #FlipSwitch #Reptile

Keypoints

  • Rootkits prioritize stealth and persistence, operating in user space (LD_PRELOAD, shared objects) or kernel space (LKMs, inline patches, syscall hooks) to hide artifacts from users and security tools.
  • Linux rootkits have evolved from simple SO/userland hooks to sophisticated kernel-resident implants and newer abuse of in-kernel mechanisms such as eBPF and io_uring to evade detection.
  • Common kernel hooking techniques include syscall table patching, inline function prologue patching, VFS/file-operations hooks, ftrace-based callbacks, and kprobes; each has trade-offs in stealth, stability, and compatibility.
  • Loaders range from simple malware droppers and LD_PRELOAD persistence to custom kernel loaders that bypass insmod/modprobe and module signing; loaders often perform privilege escalation, cleanup, and persistence (systemd, cron, udev).
  • Modern mitigations (Secure Boot, module signing, CONFIG_STRICT_KERNEL_RWX, kernel lockdown, and syscall dispatch changes in kernel 6.9) have pushed attackers toward alternative vectors like eBPF and io_uring, but novel techniques (e.g., FlipSwitch) can still bypass hardening.
  • Detection requires low-level visibility: memory forensics, kernel integrity checks, auditing for active ftrace ops/kprobes/eBPF programs, checking for unexpected modules or modified kernel text, and monitoring io_uring/syscall patterns.

MITRE Techniques

  • [T1574] Hijack Execution Flow – Intercepting and redirecting function or syscall execution via techniques such as syscall table overwrites, inline prologue patches, or dispatcher patching; quote: ‘hooking is the practice of intercepting a function or system call invocation and redirecting it to malicious code.’
  • [T1055] Process Injection – In-memory injection methods used by loaders to avoid disk artifacts and inject payloads into processes, e.g., ‘In-memory injection: Leveraging interfaces such as ptrace or memfd_create, often avoiding disk artifacts.’
  • [T1068] Exploitation for Privilege Escalation – Using local kernel vulnerabilities to gain elevated privileges before installing a rootkit (example: Dirty Pipe); quote: ‘a common tactic exemplified by the “Dirty Pipe” vulnerability (CVE-2022-0847).’
  • [T1105] Ingress Tool Transfer – Malware droppers downloading or unpacking rootkit payloads onto victim systems; quote: ‘Malware droppers are lightweight programs, often deployed after initial access, whose sole purpose is to download or unpack a rootkit payload and execute it.’
  • [T1547] Boot or Logon Autostart Execution – Persistence via mechanisms installed by loaders, such as systemd units, cron jobs, udev rules, or init-script modifications; quote: ‘installing mechanisms such as systemd units, cron jobs, udev rules, or modifications to initialization scripts.’

Indicators of Compromise

  • [CVE ] Privilege-escalation vulnerability referenced – CVE-2022-0847 (Dirty Pipe)
  • [File path ] artifacts and kernel state checks – /proc/modules, /proc/, /sys/kernel/debug (debugfs), and /etc/profile
  • [Module / filename ] kernel or userland payload files – malicious .ko modules (e.g., a dropped rootkit.ko), and injected shared objects like /path/to/rootkit.so
  • [Kernel symbols / functions ] targets for hooking or resolution – sys_call_table, x64_sys_call, kallsyms_lookup_name (used to locate symbols)
  • [Tool / technique names ] named rootkits and POCs observed – Reptile, Diamorphine (and TripleCross, Boopkit, FlipSwitch, RingReaper)
  • [Syscalls / APIs ] interfaces abused for stealth or hooking – getdents64, execve, io_uring_enter, bpf() (and other syscall names used as hook targets)

Read more: https://www.elastic.co/security-labs/linux-rootkits-1-hooked-on-linux