Fortinet researchers uncovered an advanced rootkit malware exploiting multiple zero-day vulnerabilities in enterprise appliances by executing a shell script (Install.sh).
The analysis sheds new light on how attackers establish persistence, hijack network traffic, and remotely control compromised Linux-based systems using kernel modules and user-space processes.
The investigation follows a previous report on a zero-day exploit that allowed attackers to gain unauthorized control of an enterprise system.
FortiGuard confirmed that a malicious rootkit, deployed as a kernel module (sysinitd.ko), and a user-space binary file (sysinitd), were introduced into the compromised system through a crafted shell script named Install.sh.
To ensure persistence, the attackers embedded rootkit startup entries in critical Linux configuration files (/etc/rc.local and /etc/rc.d/rc.local). These entries ensured the malware was loaded during system boot.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
Attack Breakdown
The kernel module sysinitd.ko was designed to integrate deeply into the Linux system. Upon loading with the insmod command, the module initiated several tasks:
- Decrypted strings for internal operations.
- Registered a Netfilter hook to intercept network traffic.
- Created special file entries (
/proc/abrtinfo,/proc/brtinfo,/proc/rtinfo) to facilitate communication with the user-space malware.
Netfilter, a core framework in Linux, was leveraged at the NF_INET_PRE_ROUTING stage—intercepting packets before routing decisions. The Netfilter hook function filtered incoming TCP packets from attackers, distinguishing legit packets using a crafted “attack-init” packet.
The attack-init packet, meticulously designed with specific byte sequences and verification data, allowed the malware to authenticate communication with the attacker.
Supported by encryption capabilities, it enabled secure data exchange. Once verified, the kernel module recorded attacker-relevant data (source/destination IP and port) for ongoing traffic handling.
The kernel module used Linux APIs to invoke the user-space binary sysinitd. This binary, disguised as a “bash” process to evade detection, facilitated attacker commands. Communication occurred via the /proc entries created earlier:
/proc/abrtinfoserved as the input to the user-space process./proc/brtinfocaptured the output./proc/rtinfomanaged control commands for task execution.
Capabilities of the Rootkit Malware
Attackers remotely executed Linux commands on the compromised system by sending them through the Netfilter hook function. A child process, spawned via the fork() system call and replaced by /bin/sh, executed these commands at root-level privileges.
The parent process of sysinitd acted as a daemon, monitoring and managing the child process. Specific control commands allowed attackers to:
- Restart or terminate the child process.
- Terminate both parent and child processes.
- Send signals such as
Ctrl+C.
Encryption Flexibility: The malware could toggle encryption for communication via a specific flag in the attack-init packet.
Deception Techniques: The sysinitd process renamed itself to “bash” to evade system administrators’ scrutiny.
Modular Code: The rootkit was built with capabilities to hijack TCP sessions, including HTTPS, SSH, FTP, and other protocols, using a three-way handshake.
FortiGuard demonstrated the malware’s functionality using a Python script to simulate attacker control. The attacker successfully executed Linux commands, including file downloads and directory browsing, and the results were captured in a network traffic analysis using Wireshark.
The sophisticated nature of the rootkit highlights the increasing complexity of cyberattacks that exploit critical system vulnerabilities. By combining kernel-level and user-space components, the attackers ensured stealth, persistence, and comprehensive system control.
FortiGuard’s Recommendations
- Patch Management: Regularly update firmware and software to address known vulnerabilities.
- Auditing and Monitoring: Employ tools to monitor unusual processes and network traffic.
- Procfs Security: Harden
/procdirectory permissions to prevent misuse by malicious actors. - Incident Response Preparation: Prepare response teams for rapid detection and mitigation of such exploits.
FortiGuard’s meticulous analysis reveals how attackers meticulously orchestrated a zero-day exploit to achieve complete control over targeted systems, underscoring the urgent need for proactive cybersecurity defenses.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!