Deep dive into a linux rootkit malware

Intel Name: Deep dive into a linux rootkit malware

Date of Scan: January 14, 2025

Impact: High

Summary:
In this analysis, we examined the rootkit malware in detail. We first described how the kernel module establishes a Netfilter hook function on NF_INET_PRE_ROUTING to intercept incoming TCP traffic directed to the compromised system. We then detailed the tasks performed by the Netfilter hook function, including processing attacker-initiated packets and response packet formats, invoking the user-space file, and facilitating data exchange between the user-space process and the kernel module.

More Details