Intel Name: Deep dive into a linux rootkit malware
Date of Scan: January 14, 2025
Impact: High
Summary: In this analysis, we examined the rootkit malware in detail. We first described how the kernel module establishes a Netfilter hook function on NF_INET_PRE_ROUTING to intercept incoming TCP traffic directed to the compromised system. We then detailed the tasks performed by the Netfilter hook function, including processing attacker-initiated packets and response packet formats, invoking the user-space file, and facilitating data exchange between the user-space process and the kernel module.