- sha1:071f7fa9dfb36b512d779668763d9d29462d1f543dde0056a100e6482a7325b3
Description
A rootkit written in C and designed as a kernel module for a number of Linux distributions (RHEL, Debian and EulerOS). Used as part of the SkidMap meta project for cryptocurrency mining, it replaces a number of kernel functions to mask the mining process.
MITRE matrix
| Stage | Tactic |
|---|---|
| Execution (TA0002) | Unix Shell (T1059.004) |
| Defense Evasion (TA0005) |
Rootkit (T1014) Disable or Modify Tools (T1562.001) Disable or Modify Linux Audit System (T1562.012) Match Legitimate Name or Location (T1036.005) File/Path Exclusions (T1564.012) |
Operating routine
A malicious Linux kernel module distributed on a compromised machine by the Linux.MulDrop.142/143 dropper. The rootkit's tasks are to:
- Hide its own module
- Hide a number of processes
- Display false information about CPU usage
- Hide network activity
- Hide file artifacts related to the miner's work
- Prohibit the loading of kernel modules that perform anti-rootkit functions
- Filter debugging information
| Kernel function | Module | Description |
|---|---|---|
| account_user_time | cpu | Substitutes the value of the miner process runtime by 1 |
| loadavg_proc_show | loadavg | Substitutes the average system load values output to the /proc/loadavg file |
|
tcp4_seq_show tcp6_seq_show |
port | Hides information output to the proc/net/tcp and proc/net/tcp6 files about network activity on the following ports: 500, 8990, 3333, 4444, 5555, 6666, 7777, 3334, 3335, 30182, 52126, 53126, and 60032 |
| filldir64 | file | Checks the filename in the read directory’s list of files for a match with one of the 45 names; if one matches, the file is hidden. |
| inet_sk_diag_fill | diag | Prohibits the use of this diagnostic function on the following ports: 500, 8990, 3333, 4444, 5555, 6666, 7777, 3334, 3335, 30182, 52126, 53126, and 60032 |
| module_frob_arch_sections | deny | Intercepts loaded kernel modules and checks the strings they contain for keywords |
| parse_args | symbol | Checks command arguments for the same keywords that the deny module uses |
|
vprintk panic bpf_trace_printk trace_printk |
vmcore | These hooks are stubs; functions are not performed |
| sched_debug_show | sched_debug | Stub; no function is performed |
| perf_event_open | perf | Makes the syscall available only to the initialization process (PID 1) and disallows all others |
List of files hidden by the file module:
mcpuinfo.ko
mzoneinfo.ko
kmeminfo.ko
systemd-firstload
postcated
devlinked
matchpathcond
mountinfo
telinited
systemd-udeved
systemd-udeved.service
logrotated
ldattached
hardlinked
biosdecoded
dhclientd
systemd-reboot
systemd-logined
collectd
ilog.h
olog.h
rctlconf
rctl_cert.pem
rctl_priv.pem
rctl_ca.crt
rctlcli.cfg
infocmp
selinuxdefconed
selinuxexecconed
postaliasd
blockdeved
lgroupdeleted
postmaped
getsebooled
systemd-runlevel
systemd-cgroup
systemd-deltaed
gettexted
dpkgsplit
lsloginsd
plymouthed
partprobed
discovered
mldconfig
review
The symbol and deny modules check for the following keywords:
sysdig_probe
scap
antirootkit
anti
rootkit
ANTIROOTKIT
ANTI
ROOTKIT
Anti
Rootkit
The rootkit also intercepts the execve system call: if the called executable can detect the presence of file and network attack artifacts, the rootkit replaces the path to that file with the path to a patched utility that was previously installed by the Linux.MulDrop.142/143 dropper. Calls to the following programs are intercepted:
conntrack
ifconfig
ip
iftop
netstat
unhide-tcp
unhide-linux
unhide-posix
tcpdump
busybox
telnet
ping
less
more
stat
mkdir
rmdir
head
tail
cat
mv
rm
ls
cp
Note that in different versions of the rootkit, such as 0.0.11 and 0.0.12, there are some differences in the paths used to store patched versions of executables. In version 0.0.11, patched network utilities are stored in /etc/infocmp, while in version 0.0.12, they are stored in /etc/reviews. Also, in the newer version of the rootkit, file system utilities are no longer used and have been replaced by intercepting FS system calls. This indicates that the project is under active development.
