Full Report
Part 2 dives into the world of LKMs (Loadable Kernel Modules) and kernel-space rootkits to explore what LKMs are, how attackers abuse them, and how to detect them.
Analysis Summary
# Tool/Technique: Loadable Kernel Module (LKM) Rootkit
## Overview
A kernel-space rootkit technique in Linux and Unix-like operating systems that abuses Loadable Kernel Modules (LKMs) to dynamically extend the kernel's functionality, typically for the purpose of hiding malicious activity or gaining persistent, high-privilege control over the system.
## Technical Details
- Type: Technique (Specifically, a Rootkit implementation method)
- Platform: Linux, Unix-like operating systems
- Capabilities: Hiding processes (e.g., cryptomining), concealing malicious activity, hooking kernel functions for control.
- First Seen: Not explicitly stated in the context, but associated actors have been active for some time.
## MITRE ATT&CK Mapping
- [T1547 - Boot or Logon Autostart Execution]
- [T1547.006 - Kernel Modules]
## Functionality
### Core Capabilities
- Exploiting the dynamic nature of LKMs to insert malicious code directly into the running kernel.
- Bypassing user-space security controls as the malicious code executes with kernel privileges.
- Concealing malicious activities from standard user-space monitoring tools.
### Advanced Features
- Hooking kernel functions via the LKM to intercept system calls or modify system behavior (e.g., concealing processes).
## Indicators of Compromise
- File Hashes: N/A (Specific modules not provided, only names of known external tools)
- File Names: Kernel modules (typically ending in `.ko`). Specific examples include `Diamorphine`, `adore-ng`, and `suterusu`.
- Registry Keys: N/A (Linux specific)
- Network Indicators: N/A (Focus is on local kernel manipulation)
- Behavioral Indicators: Presence of unauthorized or suspicious `.ko` files loaded into the kernel; reading virtual files like `/proc/modules` or `/sys/module/` revealing unexpected modules.
## Associated Threat Actors
- TeamTNT
- Winnti group (APT 41)
## Detection Methods
- Signature-based detection: Scanning `/lib/modules/` for unauthorized or known malicious module files.
- Behavioral detection: Monitoring the loading/unloading of modules via `insmod`, `rmmod`, or `modprobe` originating from unexpected processes. Detection of kernel function hooking.
- YARA rules: Not explicitly provided, but might target known module contents.
- Specific Tool Monitoring: The Wiz runtime sensor is mentioned as detecting LKM insertion.
## Mitigation Strategies
- Restrict privileged containers or containers with the `SYS_MODULE` capability unless strictly necessary.
- Minimize internet-facing services.
- Avoid granting root user permissions to applications unnecessarily.
- Utilize access control mechanisms like AppArmor and SELinux to restrict which processes/users can load/interact with kernel modules.
- Implement Secure Boot to ensure only signed and trusted kernel components (including modules) can be loaded.
## Related Tools/Techniques
- LD\_PRELOAD user-space rootkit (Mentioned as Part 1 of the series)
- Diamorphine (Specific LKM rootkit used by TeamTNT)
- adore-ng (Specific LKM rootkit used by Winnti)
- suterusu (Specific LKM rootkit used by Winnti)
- eBPF rootkits (Mentioned as the topic for Part 3)