EXECUTIVE SUMMARY
IranuKit is a modular Linux kernel rootkit designed to achieve stealth and persistence on x86_64 systems through several interdependent components. It was discovered in an open directory containing malware samples, which included a bootkit, two kernel modules (dropper.ko and rootkit_loader.ko), and a shared library called systemdInjector.so. Each component serves a specific purpose in the rootkit's operation. The shared library starts the chain by loading dropper.ko, which executes binaries and hides itself using kernel hooks. These hooks modify system calls and APIs to conceal files, processes, and network activity. The modular design indicates that IranuKit is likely still under development, with placeholders suggesting potential future features. Although the bootkit plays a role in its persistence, this analysis focuses on the rootkit’s kernel modules and shared library.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
IranuKit is a modular Linux kernel rootkit designed to achieve stealth and persistence on x86_64 systems through several interdependent components. It was discovered in an open directory containing malware samples, which included a bootkit, two kernel modules (dropper.ko and rootkit_loader.ko), and a shared library called systemdInjector.so. Each component serves a specific purpose in the rootkit's operation. The shared library starts the chain by loading dropper.ko, which executes binaries and hides itself using kernel hooks. These hooks modify system calls and APIs to conceal files, processes, and network activity. The modular design indicates that IranuKit is likely still under development, with placeholders suggesting potential future features. Although the bootkit plays a role in its persistence, this analysis focuses on the rootkit’s kernel modules and shared library.[emaillocker id="1283"]
The rootkit operates in a layered manner. The shared library systemdInjector.so uses the finit_module system call to load dropper.ko, which unpacks and executes a binary at optobserver and hides itself by altering the kernel module list. The unpacked binary then checks its environment, possibly verifying if it’s running in a graphical interface, and loads rootkit_loader.ko, another kernel module with similar methods to avoid detection. Rootkit_loader.ko registers a character device and unpacks a binary into which executes and manages shellcode in memory. Both kernel modules use hooks on system calls like getdents and getdents64 to hide files, directories, and tcp4_seq_show to conceal network activity. The extracted binaries display similar features, showing that the rootkit is designed to work as a cohesive system while prioritizing stealth.
IranuKit demonstrates a modular rootkit framework that uses various techniques to remain hidden and persistent on infected systems. Its manipulation of kernel structures, hiding of system artifacts, and use of dynamic components highlight its focus on evasion. Although functional, the unfinished features, such as the SELinux hooks in systemdInjector.so, indicate that it is still being developed. IranuKit uses components like character devices and advanced hooking to stay hidden while performing malicious activities. The inclusion of a bootkit ensures the rootkit can persist even after system reboots, adding another layer of persistence. Understanding and analyzing threats like IranuKit is critical for improving defenses against evolving malware targeting Linux systems
THREAT PROFILE:
| Tactic | Technique ID | Technique |
| Execution | T1106 | Native API |
| Persistence | T1547 | Boot or Logon Autostart Execution |
| Defense Evasion | T1542 | Pre-OS Boot |
| T1564 | Hide Artifacts | |
| T1014 | Rootkit | |
| T1027 | Obfuscated Files or Information | |
| Credential Access | T1556 | Modify Authentication Process |
| Discovery | T1057 | Process Discovery |
| T1082 | System Information Discovery | |
| Collection | T1123 | Audio Capture |
| Command and Control | T1090 | Proxy |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]