BlackPill : A Comprehensive Overview Of A Stealthy Linux Rootkit

Dive into the dark intricacies of BlackPill, a sophisticated Linux rootkit engineered in Rust that epitomizes stealth and versatility in cyber threats.

This article unravels its multi-faceted modules, from evasion tactics to persistent attacks, outlining how it manipulates system operations to remain undetected.

Features

The rootkit is composed of multiple modules (talking about Rust modules, not kernel modules):

• defense evasion: hide files, processes, network connections, etc.
• hooking: hook syscalls and IDT
• hypervisor: create a virtual machine to execute malicious code
• persistence: make the rootkit persistent after reboot and resilient to supression
• utils: various utilities

C2 sends crafted assembled x86_64 mnemonics to the rootkit, which then sends it to the VM guest to execute it. The VM guest is isolated from the host and can be used to execute malicious code.

Kernel do not see incoming malicous packets as they are filtered by the eBPF XDP program and sent to the LKM module, and outgoing packets are modified by the eBPF TC program.

Hooking

Hooking is a fundamental capability of the rootkit, implemented using kprobes in the Linux kernel. This technique intercepts and redirects the execution of system functions to monitor or modify their behavior.

In the context of this rootkit, kprobes provides a powerful mechanism to interact with kernel functions without altering the source code directly.

Defense Evasion

To ensure stealth, the rootkit employs two primary anti-detection mechanisms:

1. Removing the Module from the Kernel Module List
   When a kernel module is loaded, it is added to the kernel’s module list, visible via tools like lsmod or /proc/modules. To prevent detection:
   • The rootkit manually removes itself from this list.
   • Despite being removed from the list, the module remains operational, enabling continued execution of its functionality.
2. Hooking the filldir64 Function to Hide a Specific Directory
   To conceal files used by the rootkit, a hook is implemented on the filldir64 function. This function is invoked when a process reads directory contents (e.g., via getdents or readdir system calls).
   • Hooking Process:
     • The rootkit intercepts the filldir64 function using kprobes.
     • During execution, the handler inspects directory entries returned to the user.
     • If an entry matches the /BLACKPILL-BLACKPILL directory (used to store critical rootkit files), it is filtered out and not returned to the user.
     • All other directory entries are returned normally, ensuring transparency for user-space tools.
3. Using eBPF XDP and TC Programs to Modify Ingress and Egress network traffic To normalize our malicious network communications, we use eBPF XDP (eXpress Data Path) and TC (Traffic Control) programs. As such, we can:
   • Intercept specific incoming (ingress) packets with the XDP program at the lowest network level by matching the crafted TCP payload signature from our C2, which we then redirect to a custom BPF map for VM/LKM processing.
   • Intercept specific outgoing (egress) packets with the TC program by matching TCP packets generated by VM/LKM, which we then modify by overwriting their payload with our C2 response data.
     • The original packets are automatically retransmitted by TCP, maintaining the appearance of legitimate traffic.

For more information click here.