Press ESC to close

Deep Dive Into a Linux Rootkit Malware

Section Details
Threat Actors Remote attackers (unknown identity)
Campaign Overview Attackers exploited multiple vulnerabilities in an appliance to deploy a rootkit and user-space binary, establishing persistence and controlling the system.
Target Regions (Victims) Ivanti appliance customers
Methodology • Exploited vulnerabilities to gain system control.
• Deployed rootkit (sysinitd.ko) and user-space binary (sysinitd).
• Established persistence via rc.local and rc.d files.
Product Targeted Ivanti appliances, Linux-based systems
Malware Reference Rootkit (sysinitd.ko), Injector script (install.sh), User-space binary (sysinitd)
Tools Used Shell script (install.sh), Kernel module (sysinitd.ko), User-space binary (sysinitd), Netfilter hook, procfs entries
Vulnerabilities Exploited Remote vulnerabilities in the Ivanti appliance
TTPs • Exploited vulnerable appliance.
• Deployed rootkit and user-space binaries.
• Created persistent backdoor with system startup modifications.
Attribution Unknown
Recommendations • Monitor audit logs for unusual shell commands.
• Check for unauthorized files and kernel modules.
• Strengthen device security to prevent rootkit installation.
Source Fortinet

Read full article: https://www.fortinet.com/blog/threat-research/deep-dive-into-a-linux-rootkit-malware

The above summary has been generated by an AI language model

Stay Updated with Our Newsletter

  

Source: Fortinet

Published on: January 15, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *