Keypoints
- Elevator is a multi-stage attack targeting containerized Linux systems that abuses eBPF to perform local privilege escalation to kernel (ring 0) on specific kernel versions.
- An initial reconnaissance module (bpt.test) probes for eBPF vulnerability conditions (prog_load/verify and heap-readable constants) before deploying the exploit to avoid non-vulnerable hosts.
- The Elevator binary checks uname for three targeted kernels (4.15.0-42-generic, 4.14.63-coreos, 4.14.48-coreos-r2) and aborts if the host is not matched.
- The exploit creates BPF maps, loads two eBPF programs via socketpair/setsockopt, triggers execution by writing ‘X’, searches for a STACK_END_MAGIC (0x57AC6E9D), and leaks the kernel base to enable exploitation.
- Environment variables (TEST_ADDR, DUMP_ADDR, DUMP_BY_OFFSET, DUMP_CREDS) alter exploit behavior; if none set, the binary attempts to set UID 0 to escalate privileges.
- On success, a Python script enumerates extensive host data (DMI UUID, processes, open files, network interfaces, ARP neighbors, PCI/USB info), exfiltrates to 198.211.118[.]121:8081, and spawns a remote bash shell.
- The sample was first uploaded to VirusTotal in Dec 2018 shortly after a related eBPF patch for CVE-2018-18445, indicating likely reuse of publicly disclosed exploit logic.
MITRE Techniques
- [T1587.001] Obtain Capabilities: Malware – Creation and deployment of the “Elevator” tool to exploit eBPF in container-based Linux kernels (‘Named “Elevator” by the malware author, it was created to escape the security restrictions of containers and allow the attacker to escalate privileges.’)
- [T1190] Exploit Public-Facing Application – Deployed against web-facing container applications to gain initial access (‘Elevator appears to be a multi-stage attack, deployed against web-facing container applications.’)
- [T1059.006] Command and Scripting Interpreter: Python – Use of a Python script for host enumeration and to start a remote shell (‘it would run a small Python script that would enumerate the infected host machine and establish a remote shell.’)
- [T1068] Exploitation for Privilege Escalation – Abuse of eBPF vulnerability logic similar to CVE-2018-18445 to escalate to kernel privileges (‘This vulnerability follows a similar logic path described in CVE-2018-18445… escalate privileges to ring 0’)
- [T1036.005] Masquerading: Match Legitimate Name or Location – Attempts to disguise process/file names during execution (‘Elevator attempts to disguise itself by changing the process filename to “pr_set_mm_exe_file” and the process name to “pr_set_name”.’)
- [T1016] System Network Configuration Discovery – Collects network interface details and ARP neighbors to map the local network (‘A list of machines connected to the machine on the layer 2 level, along with their MAC addresses… information about the various network interfaces.’)
- [T1082] System Information Discovery – Extensive host enumeration of kernel, running processes, open files, hardware, PCI/USB buses, and BIOS DMI UUID (‘The file collects a myriad of host-based enumeration details… the main board product UUID… a list of running processes… open files… PCI buses and devices.’)
- [T1219] Remote Access Software – Establishes a remote bash shell connecting back to a C2 for interactive command execution (‘Finally, the Python script would start a remote shell using bash, this allowed the threat actor to remotely interact with the infected systems to run arbitrary commands.’)
- [T1210] Exploitation of Remote Services – Enumeration of local network and ARP cache indicates intent to pivot and move laterally within the network (‘the malware’s capability to gather information about the network interfaces and the contents of the ARP cache, suggests the intention is to move laterally within a target network.’)
Indicators of Compromise
- [IP] C2 server – 198.211.118[.]121:8081 (VPS receiving exfiltrated enumeration data and remote shell connections)
- [File name] Recon/exploit binaries – bpt.test (recon module), Elevator (exploit binary)
- [Kernel versions / Target OS] Targeted kernel strings used for host gating – 4.15.0-42-generic (Ubuntu), 4.14.63-coreos, 4.14.48-coreos-r2 (CoreOS)
- [Repository submission] Public sample upload – VirusTotal submission (sample first uploaded December 2018), and additional hashes available on referenced GitHub
- [URL / Source] Report/source reference – https://blog.lumen.com/taking-the-elevator-down-to-ring-0/?utm_source=rss&utm_medium=rss&utm_campaign=taking-the-elevator-down-to-ring-0
The attack is a staged exploit chain: an initial binary (observed as bpt.test) performs two eBPF vulnerability checks by attempting prog_load and verifying return values (and by triggering the program via socket writes) to determine if heap constants are readable—only if these preconditions are met will the operator deploy the second-stage Elevator binary. Elevator first calls uname and gates execution to three specific kernel versions; it then creates two BPF maps, loads two eBPF programs, attaches them to a socketpair via setsockopt, and triggers execution by writing ‘X’ to obtain kernel stack pointers and locate a STACK_END_MAGIC (0x57AC6E9D).
After detecting the stack end and confirming a targeted kernel, Elevator uses the eBPF programs to leak kernel memory and compute the kernel base. Behavior is controlled by environment variables (TEST_ADDR to inject an eBPF program, DUMP_ADDR / DUMP_BY_OFFSET / DUMP_CREDS to select what kernel data to leak). If no dump variables are provided, the binary attempts to set UID 0 to escalate privileges to root.
Upon successful privilege escalation to ring 0, the payload runs a Python enumerator that collects BIOS DMI UUID, permitted key lists, hostname, running processes, open files, network interface details, layer‑2 neighbors and MACs, PCI and USB device information, and the public IP. The script posts this data to 198.211.118[.]121:8081 and then spawns a bash remote shell for interactive C2, enabling further commands or lateral movement.