Руткит
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)
Примеры процедур |
|
Название | Описание |
---|---|
Ebury |
Ebury has used user mode rootkit techniques to remain hidden on the system.(Citation: ESET Ebury Oct 2017) |
Winnti Group |
Winnti Group used a rootkit to modify typical server functionality.(Citation: Kaspersky Winnti April 2013) |
APT41 |
APT41 deployed rootkits on Linux systems.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar 2020) |
Rocke |
Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.(Citation: Anomali Rocke March 2019) |
Carberp |
Carberp has used user mode rootkit techniques to remain hidden on the system.(Citation: Prevx Carberp March 2011) |
Ramsay |
Ramsay has included a rootkit to evade defenses.(Citation: Eset Ramsay May 2020) |
Drovorub |
Drovorub has used a kernel module rootkit to hide processes, files, executables, and network artifacts from user space view.(Citation: NSA/FBI Drovorub August 2020) |
HTRAN |
HTRAN can install a rootkit to hide network connections from the host OS.(Citation: NCSC Joint Report Public Tools) |
HIDEDRV |
HIDEDRV is a rootkit that hides certain operating system artifacts.(Citation: ESET Sednit Part 3) |
TeamTNT |
TeamTNT has used rootkits such as the open-source Diamorphine rootkit and their custom bots to hide cryptocurrency mining activities on the machine.(Citation: Trend Micro TeamTNT) (Citation: Cisco Talos Intelligence Group) |
Skidmap |
Skidmap is a kernel-mode rootkit that has the ability to hook system calls to hide specific files and fake network and CPU-related statistics to make the CPU load of the infected machine always appear low.(Citation: Trend Micro Skidmap) |
Umbreon |
Umbreon hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware.(Citation: Umbreon Trend Micro) |
Stuxnet |
Stuxnet uses a Windows rootkit to mask its binaries and other relevant files.(Citation: Symantec W.32 Stuxnet Dossier) |
Hacking Team UEFI Rootkit |
Hacking Team UEFI Rootkit is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems.(Citation: TrendMicro Hacking Team UEFI) |
HiddenWasp |
HiddenWasp uses a rootkit to hook and implement functions on the system.(Citation: Intezer HiddenWasp Map 2019) |
Hildegard |
Hildegard has modified /etc/ld.so.preload to overwrite readdir() and readdir64().(Citation: Unit 42 Hildegard Malware) |
APT28 |
APT28 has used a UEFI (Unified Extensible Firmware Interface) rootkit known as LoJax.(Citation: Symantec APT28 Oct 2018)(Citation: ESET LoJax Sept 2018) |
Hikit |
Hikit is a Rootkit that has been used by Axiom.(Citation: FireEye Hikit Rootkit) (Citation: FireEye HIKIT Rootkit Part 2) |
Winnti for Linux |
Winnti for Linux has used a modified copy of the open-source userland rootkit Azazel, named libxselinux.so, to hide the malware's operations and network activity.(Citation: Chronicle Winnti for Linux May 2019) |
Zeroaccess |
Zeroaccess is a kernel-mode rootkit.(Citation: Sophos ZeroAccess) |
LoJax |
LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.(Citation: ESET LoJax Sept 2018) |
Uroburos |
Uroburos is a rootkit used by Turla.(Citation: Kaspersky Turla) |
WarzoneRAT |
WarzoneRAT can include a rootkit to hide processes, files, and startup.(Citation: Check Point Warzone Feb 2020) |
Caterpillar WebShell |
Caterpillar WebShell has a module to use a rootkit on a system.(Citation: ClearSky Lebanese Cedar Jan 2021) |
PoisonIvy |
PoisonIvy starts a rootkit from a malicious file dropped to disk.(Citation: Symantec Darkmoon Aug 2005) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Rootkit Mitigation |
Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP) |
Обнаружение
Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR. (Citation: Wikipedia Rootkit)
Ссылки
- Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016.
- Symantec. (n.d.). Windows Rootkit Overview. Retrieved December 21, 2017.
- Pan, M., Tsai, S. (2014). You can’t see me: A Mac OS X Rootkit uses the tricks you haven't known yet. Retrieved December 21, 2017.
- Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017.
- NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
- Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
- Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
- Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.
- Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
- Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
- ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.
- The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
- ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
- ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
- Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
- Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020.
- Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.
- Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
- Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
- Wyke, J. (2012, April). ZeroAccess. Retrieved July 18, 2016.
- Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
- Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.
- Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
- Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.
- Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
- Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
- Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
- Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
- Lin, P. (2015, July 13). Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems. Retrieved December 11, 2015.
- Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
Связанные риски
Риск | Связи | |
---|---|---|
Обход систем защиты из-за
возможности использования Rootkit в ОС Linux
Повышение привилегий
Целостность
|
1
|
|
Обход систем защиты из-за
возможности использования Rootkit в ОС Windows
Повышение привилегий
Целостность
|
|
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.