Full Report
Dynamic linker hijacking via LD_PRELOAD is a Linux rootkit technique utilized by different threat actors in the wild. In part one of this series on Linux rootkits, we discuss this threat and explain how to detect it.
Analysis Summary
# Tool/Technique: Rootkits (via LD_PRELOAD Hijacking)
## Overview
Rootkits are a type of malware used by threat actors to gain deep control over a compromised resource and conceal malicious activities. This specific context focuses on a userland rootkit technique unique to Linux systems: **Dynamic Linker Hijacking** using the `LD_PRELOAD` mechanism. This technique allows attackers to intercept and alter the execution flow of dynamically linked programs by injecting a user-specified shared object before any standard libraries are loaded.
## Technical Details
- Type: Technique (Rootkit)
- Platform: Linux
- Capabilities: Hiding files, intercepting function calls (e.g., `readdir`), evading detection, altering system behavior at runtime, credential harvesting.
- First Seen: Not explicitly stated, but discussed as a known technique used by threat actors in the wild.
## MITRE ATT&CK Mapping
- T1014 - Defense Evasion: Rootkit
- T1014.002 - Kernel/OS Function Hooking (Applicable concept, applied via userland linkage)
- T1574 - Hijack Execution Flow
- T1574.006 - DLL Search Order Hijacking (Userland equivalent on Linux)
## Functionality
### Core Capabilities
- Intercepting and modifying the execution flow of dynamically linked programs by loading a custom shared object (`*.so`) before legitimate libraries.
- Hiding files or processes from standard userland commands (e.g., hiding "malicious\_file" from `ls` output by hijacking `readdir`).
- Leveraging the Linux dynamic linker (`ld.so`) functionality.
### Advanced Features
- Utilizing the `LD_PRELOAD` environment variable or overwriting the `/etc/ld.so.preload` file to persist or initiate the hijacking across multiple processes.
- Function interposition using `dlsym` and the `RTLD_NEXT` handle to find and invoke the original, underlying library function after performing malicious actions.
## Indicators of Compromise
- File Hashes: Not provided in the article.
- File Names: Shared objects (`.so` files) injected via preload lists (e.g., suspicious libraries in `/etc/ld.so.preload`).
- Registry Keys: N/A (Linux artifacts).
- Network Indicators: Not detailed in this specific section, but implied that C2 communication would follow setup. (None provided).
- Behavioral Indicators:
- Presence of unusual paths specified in `/etc/ld.so.preload`.
- Processes showing an unexpected `LD_PRELOAD` environment variable (inspectable via `/proc/{pid}/environ`).
- System calls being hooked or returning modified results (e.g., `readdir` skipping expected entries).
## Associated Threat Actors
- Threat actors (General) are known to utilize this technique in the wild. (Specific group names not mentioned in this segment aside from general reference).
## Detection Methods
- Signature-based detection: Monitoring for creation or modification of the `/etc/ld.so.preload` file.
- Behavioral detection:
- Inspecting the `/proc/{pid}/environ` file for processes executed with unanticipated `LD_PRELOAD` variables pointing to uncommon library paths.
- Use of runtime detection tools (like the Wiz runtime sensor) capable of detecting drift execution libraries loaded into memory.
- Utilizing tools like `unhide` to brute-force detection of concealed processes.
- File Comparison: Comparing runtime filesystem state against a known good image snapshot to find newly or unexpectedly added/modified files.
## Mitigation Strategies
- Regularly inspect the `/etc/ld.so.preload` file for unauthorized entries.
- Monitor process environments (`/proc/{pid}/environ`) for suspicious or unexpected `LD_PRELOAD` variables during runtime.
- Use runtime security solutions capable of detecting dynamic library injection at runtime.
- If using containers, ensure runtime detection supports drift execution libraries loaded into memory.
## Related Tools/Techniques
- Linux Kernel Module (LKM) rootkits (Next topic in the series).
- eBPF rootkits (Next topic in the series).
- DLL Search Order Hijacking (T1574.006) (Conceptual equivalent on Windows).