{
  "name": "Deep Dive Into a Linux Rootkit Malware",
  "slug": "deep-dive-into-a-linux-rootkit-malware",
  "description": "This analysis examines a Linux rootkit malware deployed by remote attackers on a compromised CentOS system. The malware consists of a kernel module (sysinitd.ko) and a user-space binary (sysinitd). The kernel module hijacks inbound network traffic using a Netfilter hook, creates procfs entries for communication, and starts the user-space process. The user-space component disguises itself as 'bash' and enables remote command execution with root privileges. The attackers use a special 'attack-init' packet to initiate communication and can send encrypted commands to control the system. The analysis details the malware's initialization, network interception, data exchange mechanisms, and command execution process.",
  "published": "2025-01-14T06:16:30+00:00",
  "created_at": "2025-01-14T06:16:30+00:00",
  "modified_at": "2025-01-14T07:46:13+00:00",
  "created_at_opencti": "2025-01-14T06:16:30+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-01-14",
    "command execution",
    "kernel module",
    "linux",
    "netfilter",
    "persistence",
    "procfs",
    "remote access",
    "rootkit",
    "sysinitd",
    "sysinitd.ko"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "d57a2cac394a778e19ce9b926f2e0a71936510798f30d20f207f2a49b49ce7b1"
      },
      {
        "id": "",
        "name": "8d016d02f8fbe25dce76481a90dd0b48630ce9e74e8c31ba007cf133e48b8526"
      },
      {
        "id": "",
        "name": "6edd7b3123de985846a805931ca8ee5f6f7ed7b160144aa0e066967bc7c0423a"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:27d176e791b18def",
        "name": "sysinitd",
        "slug": "sysinitd"
      },
      {
        "id": "legacy:malware:6d1400ae0e2e7ca5",
        "name": "sysinitd.ko",
        "slug": "sysinitdko"
      }
    ],
    "attack_patterns": [
      {
        "id": "7e5fbc10-b908-4ce8-8ba8-9fd70790c6ae",
        "name": "T1562.004"
      },
      {
        "id": "14ea0786-b57c-4a30-8e4e-46944d17eb18",
        "name": "T1036.004"
      },
      {
        "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee",
        "name": "T1571"
      },
      {
        "id": "41af8283-2fa5-469e-9c29-e8ad77b4f224",
        "name": "T1014"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "af9ed2e3-4663-4723-beab-c606ddc312e0",
        "name": "T1543"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "64cdebc9-0fb4-48f2-bf4f-b87f3741f664",
        "name": "T1068"
      }
    ]
  },
  "external_refs": [
    "https://www.fortinet.com/blog/threat-research/deep-dive-into-a-linux-rootkit-malware",
    "https://otx.alienvault.com/pulse/67860f4e42a768eabc13903e"
  ]
}