Analyzing IranuKit: A modular linux kernel rootkit | Humzak711

submited by
Style Pass
2024-11-26 09:00:03

While hanging out on the Rootkit Researchers Discord Server, Matheuz discovered an open directory containing some intriguing malware samples. Among these were a bootkit, two kernel modules (dropper.ko and rootkit_loader.ko), and a shared library named systemdInjector.so.

This write-up focuses on the two kernel modules and the shared library to uncover how they operate together, emphasizing stealth, persistence, and modularity.

First things first we will get to analyzing systemdInjector.so. Upon opening it in binary ninja we can see that its job is to load dropper.ko which it assumes is located at /opt/dropper.ko, it does this by calling a function named load_module_from_path which loads a kernel module at a given filepath. load_module_from_path does this by first opening the file to get a file descriptor to it and then making a system call to finit_module with the file descriptor as an argument.

Whats interesting about systemdInjector.so is that it contains placeholders for hooks on SElinux, and also contains a function called init_module which makes a system call to init_module to load a kernel module from memory, however it doesn’t seem to utilize this function anywhere.

Leave a Comment