Dive into the dark intricacies of BlackPill, a sophisticated Linux rootkit engineered in Rust that epitomizes stealth and versatility in cyber threats.
This article unravels its multi-faceted modules, from evasion tactics to persistent attacks, outlining how it manipulates system operations to remain undetected.
The rootkit is composed of multiple modules (talking about Rust modules, not kernel modules):
C2 sends crafted assembled x86_64 mnemonics to the rootkit, which then sends it to the VM guest to execute it. The VM guest is isolated from the host and can be used to execute malicious code.
Kernel do not see incoming malicous packets as they are filtered by the eBPF XDP program and sent to the LKM module, and outgoing packets are modified by the eBPF TC program.
Hooking is a fundamental capability of the rootkit, implemented using kprobes
in the Linux kernel. This technique intercepts and redirects the execution of system functions to monitor or modify their behavior.
In the context of this rootkit, kprobes
provides a powerful mechanism to interact with kernel functions without altering the source code directly.
To ensure stealth, the rootkit employs two primary anti-detection mechanisms:
lsmod
or /proc/modules
. To prevent detection: filldir64
Function to Hide a Specific Directoryfilldir64
function. This function is invoked when a process reads directory contents (e.g., via getdents
or readdir
system calls). filldir64
function using kprobes
./BLACKPILL-BLACKPILL
directory (used to store critical rootkit files), it is filtered out and not returned to the user.For more information click here.
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…