Deep Dive Into a Linux Rootkit Malware

SUMMARY :

This analysis examines a Linux rootkit malware deployed by remote attackers on a compromised CentOS system. The malware consists of a kernel module (sysinitd.ko) and a user-space binary (sysinitd). The kernel module hijacks inbound network traffic using a Netfilter hook, creates procfs entries for communication, and starts the user-space process. The user-space component disguises itself as 'bash' and enables remote command execution with root privileges. The attackers use a special 'attack-init' packet to initiate communication and can send encrypted commands to control the system. The analysis details the malware's initialization, network interception, data exchange mechanisms, and command execution process.

OPENCTI LABELS :

linux,remote access,rootkit,persistence,netfilter,sysinitd.ko,sysinitd,procfs,kernel module,command execution


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Deep Dive Into a Linux Rootkit Malware