1. Home
  2. Techniques
  3. Enterprise
  4. Rootkit

Rootkit

Rootkit是一类通过篡改操作系统底层机制实现恶意组件隐匿的深度持久化技术,其通过劫持系统API调用、操控硬件抽象层等手段,对进程、文件、网络连接等系统对象进行动态过滤与信息伪造。攻击者可以利用Rootkit技术在受害操作系统中植入恶意代码,而不被常规的安全工具或监控系统察觉。由于Rootkit通过操控系统级别的调用来隐蔽自身,其自身的存在通常不容易被检测到,可以长期潜伏在目标系统内。因为Rootkit是在系统内核层或更低层(如固件、MBR)运行,因此它能够对系统监控工具的查询进行干扰,避免了常见的防御措施的检测,防御者难以通过常规手段(如文件系统扫描、进程监控)发现恶意活动,因此攻击者在使用该技术的过程中天然具有较高的隐蔽性。

Rootkit匿迹技术的发展迫使防御体系必须构建跨权限层级的协同检测能力,需融合硬件可信根验证、内存实时取证、行为熵值分析等技术,建立从固件层到应用层的全栈监控体系,同时加强供应链数字证书的全生命周期管理以遏制信任链滥用风险。

ID: T1014
Sub-techniques:  No sub-techniques
Tactic: 防御规避
Platforms: Linux, Windows, macOS
Defense Bypassed: Anti-virus, Application Control, File Monitoring, Host Intrusion Prevention Systems, Signature-based Detection, System Access Controls
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2023

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

行为透明

Rootkit能够深度渗透到操作系统的底层架构中,通过巧妙地劫持和篡改API调用,实现对进程、文件、服务等关键系统元素的隐匿化。即使系统内部正在进行着各种恶意活动,如数据窃取、远程控制指令的执行或系统资源的非法占用,但操作系统所呈现给防御者的信息依旧保持着正常的表象,这使得防御者难以发现攻击者的真实行径。

Procedure Examples

ID Name Description
G0007 APT28

APT28 has used a UEFI (Unified Extensible Firmware Interface) rootkit known as LoJax.[1][2]
G0096 APT41

APT41 deployed rootkits on Linux systems.[3][4]
S0484 Carberp

Carberp has used user mode rootkit techniques to remain hidden on the system.[5]
S0572 Caterpillar WebShell

Caterpillar WebShell has a module to use a rootkit on a system.[6]

S1105 COATHANGER

COATHANGER hooks or replaces multiple legitimate processes and other functions on victim devices.[7]
S0502 Drovorub

Drovorub has used a kernel module rootkit to hide processes, files, executables, and network artifacts from user space view.[8]
S0377 Ebury

Ebury acts as a user land rootkit using the SSH service.[9][10]
S0047 Hacking Team UEFI Rootkit

Hacking Team UEFI Rootkit is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems.[11]
S0394 HiddenWasp

HiddenWasp uses a rootkit to hook and implement functions on the system.[12]
S0135 HIDEDRV

HIDEDRV is a rootkit that hides certain operating system artifacts.[13]
S0009 Hikit

Hikit is a Rootkit that has been used by Axiom.[14] [15]

S0601 Hildegard

Hildegard has modified /etc/ld.so.preload to overwrite readdir() and readdir64().[16]
S0040 HTRAN

HTRAN can install a rootkit to hide network connections from the host OS.[17]
S0397 LoJax

LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.[2]
S0012 PoisonIvy

PoisonIvy starts a rootkit from a malicious file dropped to disk.[18]
S0458 Ramsay

Ramsay has included a rootkit to evade defenses.[19]

G0106 Rocke

Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.[20]
S0468 Skidmap

Skidmap is a kernel-mode rootkit that has the ability to hook system calls to hide specific files and fake network and CPU-related statistics to make the CPU load of the infected machine always appear low.[21]
S0603 Stuxnet

Stuxnet uses a Windows rootkit to mask its binaries and other relevant files.[22]
G0139 TeamTNT

TeamTNT has used rootkits such as the open-source Diamorphine rootkit and their custom bots to hide cryptocurrency mining activities on the machine.[23] [24]
S0221 Umbreon

Umbreon hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware.[25]
S0022 Uroburos

Uroburos can use its kernel module to prevent its host components from being listed by the targeted system's OS and to mediate requests between user mode and concealed components.[26][27]
S0670 WarzoneRAT

WarzoneRAT can include a rootkit to hide processes, files, and startup.[28]
S0430 Winnti for Linux

Winnti for Linux has used a modified copy of the open-source userland rootkit Azazel, named libxselinux.so, to hide the malware's operations and network activity.[29]
G0044 Winnti Group

Winnti Group used a rootkit to modify typical server functionality.[30]
S0027 Zeroaccess

Zeroaccess is a kernel-mode rootkit.[31]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0016 Drive Drive Modification

Monitor for changes made to drive letters or mount points of data storage devices for unexpected modifications that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.
DS0022 File File Modification

Monitor for changes and the existence of unrecognized DLLs, drivers, devices, services, and to the MBR. [32]
DS0001 Firmware Firmware Modification

Monitor for changes made to firmware for unexpected modifications to settings and/or data that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior.

References

  1. Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
  2. ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.
  3. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  4. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  5. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024.
  6. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
  7. Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.
  8. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
  9. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
  10. Marc-Etienne M.Léveillé. (2024, May 1). Ebury is alive but unseen. Retrieved May 21, 2024.
  11. Lin, P. (2015, July 13). Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems. Retrieved December 11, 2015.
  12. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  13. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  14. Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.
  15. Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020.
  16. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  1. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  2. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  3. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  4. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  5. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  6. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  7. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
  8. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  9. Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.
  10. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  11. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  12. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  13. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
  14. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  15. Wyke, J. (2012, April). ZeroAccess. Retrieved July 18, 2016.
  16. Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016.