Section | Details |
---|---|
Threat Actors | Remote attackers (unknown identity) |
Campaign Overview | Attackers exploited multiple vulnerabilities in an appliance to deploy a rootkit and user-space binary, establishing persistence and controlling the system. |
Target Regions (Victims) | Ivanti appliance customers |
Methodology | • Exploited vulnerabilities to gain system control. • Deployed rootkit (sysinitd.ko) and user-space binary (sysinitd). • Established persistence via rc.local and rc.d files. |
Product Targeted | Ivanti appliances, Linux-based systems |
Malware Reference | Rootkit (sysinitd.ko), Injector script (install.sh), User-space binary (sysinitd) |
Tools Used | Shell script (install.sh), Kernel module (sysinitd.ko), User-space binary (sysinitd), Netfilter hook, procfs entries |
Vulnerabilities Exploited | Remote vulnerabilities in the Ivanti appliance |
TTPs | • Exploited vulnerable appliance. • Deployed rootkit and user-space binaries. • Created persistent backdoor with system startup modifications. |
Attribution | Unknown |
Recommendations | • Monitor audit logs for unusual shell commands. • Check for unauthorized files and kernel modules. • Strengthen device security to prevent rootkit installation. |
Source | Fortinet |
Read full article: https://www.fortinet.com/blog/threat-research/deep-dive-into-a-linux-rootkit-malware
The above summary has been generated by an AI language model
Leave a Reply