Dive into the dark intricacies of BlackPill, a sophisticated Linux rootkit engineered in Rust that epitomizes stealth and versatility in cyber threats.
This article unravels its multi-faceted modules, from evasion tactics to persistent attacks, outlining how it manipulates system operations to remain undetected.
The rootkit is composed of multiple modules (talking about Rust modules, not kernel modules):
C2 sends crafted assembled x86_64 mnemonics to the rootkit, which then sends it to the VM guest to execute it. The VM guest is isolated from the host and can be used to execute malicious code.
Kernel do not see incoming malicous packets as they are filtered by the eBPF XDP program and sent to the LKM module, and outgoing packets are modified by the eBPF TC program.
Hooking is a fundamental capability of the rootkit, implemented using kprobes
in the Linux kernel. This technique intercepts and redirects the execution of system functions to monitor or modify their behavior.
In the context of this rootkit, kprobes
provides a powerful mechanism to interact with kernel functions without altering the source code directly.
To ensure stealth, the rootkit employs two primary anti-detection mechanisms:
lsmod
or /proc/modules
. To prevent detection: filldir64
Function to Hide a Specific Directoryfilldir64
function. This function is invoked when a process reads directory contents (e.g., via getdents
or readdir
system calls). filldir64
function using kprobes
./BLACKPILL-BLACKPILL
directory (used to store critical rootkit files), it is filtered out and not returned to the user.For more information click here.
Nmap (Network Mapper) is a free tool that helps you find devices on a network,…
Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…
While file extensions in Linux are optional and often misleading, the file command helps decode what a…
The touch command is one of the quickest ways to create new empty files or update timestamps…
Handling large numbers of files is routine for Linux users, and that’s where the find command shines.…
Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy…