Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. [1]
Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. [2] Rootkits have been seen for Windows, Linux, and Mac OS X systems. [3] [4]
ID | Name | Description |
---|---|---|
G0007 | APT28 |
APT28 has used a UEFI (Unified Extensible Firmware Interface) rootkit known as LoJax.[5][6] |
G0096 | APT41 | |
S0484 | Carberp |
Carberp has used user mode rootkit techniques to remain hidden on the system.[9] |
S0572 | Caterpillar WebShell |
Caterpillar WebShell has a module to use a rootkit on a system.[10] |
S1105 | COATHANGER |
COATHANGER hooks or replaces multiple legitimate processes and other functions on victim devices.[11] |
S0502 | Drovorub |
Drovorub has used a kernel module rootkit to hide processes, files, executables, and network artifacts from user space view.[12] |
S0377 | Ebury |
Ebury has used user mode rootkit techniques to remain hidden on the system.[13] |
S0047 | Hacking Team UEFI Rootkit |
Hacking Team UEFI Rootkit is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems.[14] |
S0394 | HiddenWasp |
HiddenWasp uses a rootkit to hook and implement functions on the system.[15] |
S0135 | HIDEDRV |
HIDEDRV is a rootkit that hides certain operating system artifacts.[16] |
S0009 | Hikit | |
S0601 | Hildegard |
Hildegard has modified /etc/ld.so.preload to overwrite readdir() and readdir64().[19] |
S0040 | HTRAN |
HTRAN can install a rootkit to hide network connections from the host OS.[20] |
S0397 | LoJax |
LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.[6] |
S0012 | PoisonIvy |
PoisonIvy starts a rootkit from a malicious file dropped to disk.[21] |
S0458 | Ramsay | |
G0106 | Rocke |
Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.[23] |
S0468 | Skidmap |
Skidmap is a kernel-mode rootkit that has the ability to hook system calls to hide specific files and fake network and CPU-related statistics to make the CPU load of the infected machine always appear low.[24] |
S0603 | Stuxnet |
Stuxnet uses a Windows rootkit to mask its binaries and other relevant files.[25] |
G0139 | TeamTNT |
TeamTNT has used rootkits such as the open-source Diamorphine rootkit and their custom bots to hide cryptocurrency mining activities on the machine.[26] [27] |
S0221 | Umbreon |
Umbreon hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware.[28] |
S0022 | Uroburos |
Uroburos can use its kernel module to prevent its host components from being listed by the targeted system's OS and to mediate requests between user mode and concealed components.[29][30] |
S0670 | WarzoneRAT |
WarzoneRAT can include a rootkit to hide processes, files, and startup.[31] |
S0430 | Winnti for Linux |
Winnti for Linux has used a modified copy of the open-source userland rootkit Azazel, named libxselinux.so, to hide the malware's operations and network activity.[32] |
G0044 | Winnti Group |
Winnti Group used a rootkit to modify typical server functionality.[33] |
S0027 | Zeroaccess |
Zeroaccess is a kernel-mode rootkit.[34] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0016 | Drive | Drive Modification |
Monitor for changes made to drive letters or mount points of data storage devices for unexpected modifications that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. |
DS0022 | File | File Modification |
Monitor for changes and the existence of unrecognized DLLs, drivers, devices, services, and to the MBR. [2] |
DS0001 | Firmware | Firmware Modification |
Monitor for changes made to firmware for unexpected modifications to settings and/or data that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. |