Dive into the dark intricacies of BlackPill, a sophisticated Linux rootkit engineered in Rust that epitomizes stealth and versatility in cyber threats.
This article unravels its multi-faceted modules, from evasion tactics to persistent attacks, outlining how it manipulates system operations to remain undetected.
The rootkit is composed of multiple modules (talking about Rust modules, not kernel modules):
C2 sends crafted assembled x86_64 mnemonics to the rootkit, which then sends it to the VM guest to execute it. The VM guest is isolated from the host and can be used to execute malicious code.
Kernel do not see incoming malicous packets as they are filtered by the eBPF XDP program and sent to the LKM module, and outgoing packets are modified by the eBPF TC program.
Hooking is a fundamental capability of the rootkit, implemented using kprobes
in the Linux kernel. This technique intercepts and redirects the execution of system functions to monitor or modify their behavior.
In the context of this rootkit, kprobes
provides a powerful mechanism to interact with kernel functions without altering the source code directly.
To ensure stealth, the rootkit employs two primary anti-detection mechanisms:
lsmod
or /proc/modules
. To prevent detection: filldir64
Function to Hide a Specific Directoryfilldir64
function. This function is invoked when a process reads directory contents (e.g., via getdents
or readdir
system calls). filldir64
function using kprobes
./BLACKPILL-BLACKPILL
directory (used to store critical rootkit files), it is filtered out and not returned to the user.For more information click here.
Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…
Docker is one of the most widely used containerization platforms. But there may come a…
Introduction Google Dorking is a technique where advanced search operators are used to uncover information…
Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…
What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…
Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…