Warning: Undefined variable $comments_html in /home/u319666691/domains/cybersecurityboard.com/public_html/_template.php on line 527

Wormable Linux Rootkit Attack Multiple Systems to Steal SSH Keys and Privilege Escalation

Cybersecurity researchers at ANY.RUN have uncovered a sophisticated attack leveraging the Diamorphine rootkit to deploy a cryptocurrency miner on Linux systems, highlighting the growing misuse of open-source tools in malicious campaigns. By replacing the ps utility, installing the Diamorphine rootkit, and loading a library that intercepts system calls, the malware effectively hides its processes and activities from standard monitoring tools. ANY.RUN recommends leveraging tools like their platform for in-depth analysis, alongside proactive measures such as regular system updates, network monitoring for unusual SSH activity, and robust secrets management using solutions like GitHub Actions’ Secrets or HashiCorp Vault. The attack begins with a forked script, masquerading as a Python file, which deploys the Diamorphine rootkit—a Loadable Kernel Module (LKM) designed for Linux kernels across versions 2.6.x to 6.x on x86, x86_64, and ARM64 architectures. This layered approach makes detection and removal particularly challenging, as the rootkit becomes nearly invisible to traditional system utilities like lsmod—a problem exacerbated by the rootkit’s use of the list_del function, which removes it from the kernel module list, rendering rmmod ineffective. The Diamorphine rootkit is then loaded into the kernel, enabling it to manipulate system calls and further obscure the miner’s presence. The Diamorphine rootkit and the miner are both built from open-source code hosted on GitHub, a platform increasingly exploited by malicious actors. To ensure persistence, the script replaces the /bin/ps utility to hide its processes and establishes a systemd service, allowing the miner to restart after system reboots. The detailed analysis with ANY.RUN Sandbox exposes a multi-stage attack that employs advanced persistence and evasion techniques, posing a significant threat to Linux-based environments. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The rootkit intercepts system calls to conceal its activities while executing a carefully orchestrated sequence of steps. As Linux-targeted malware grows in sophistication, this Diamorphine rootkit campaign serves as a stark reminder of the need for vigilance.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 07 May 2025 15:34:58 +0000

Cyber News related to Wormable Linux Rootkit Attack Multiple Systems to Steal SSH Keys and Privilege Escalation

Wormable Linux Rootkit Attack Multiple Systems to Steal SSH Keys and Privilege Escalation - Cybersecurity researchers at ANY.RUN have uncovered a sophisticated attack leveraging the Diamorphine rootkit to deploy a cryptocurrency miner on Linux systems, highlighting the growing misuse of open-source tools in malicious campaigns. By replacing ...
3 months ago Cybersecuritynews.com

New SSH-Snake Malware Abuses SSH Credentials - Threat actors abuse SSH credentials to gain unauthorized access to systems and networks. SSH credential abuse provides a stealthy entry point for threat actors to compromise and control the targeted systems. On January 4th, 2024, the Sysdig Threat ...
1 year ago Cybersecuritynews.com

Rootkit Turns Kubernetes from Orchestration to Subversion - As software development focuses on continuous integration and deployment, orchestration platforms like Kubernetes have taken off, but that popularity has put them in attackers' crosshairs. Most successful attacks - at least those publicly reported - ...
1 year ago Darkreading.com

Warning: Undefined array key "host" in /home/u319666691/domains/cybersecurityboard.com/public_html/_template.php on line 364

Warning: Undefined variable $domain_html in /home/u319666691/domains/cybersecurityboard.com/public_html/_template.php on line 466

CVE-2024-36886 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago

Krasue RAT Uses Cross-Kernel Linux Rootkit to Attack Telecoms - Attackers likely tied the creators of the XorDdos Linux remote access Trojan have been wielding a separate Linux RAT for nearly two years without detection, using it to target organizations in Thailand and maintain malicious access to infected ...
1 year ago Darkreading.com

In a first, cryptographic keys protecting SSH connections stolen in new attack - For the first time, researchers have demonstrated that a large portion of cryptographic keys used to protect data in computer-to-server SSH traffic are vulnerable to complete compromise when naturally occurring computational errors occur while the ...
1 year ago Arstechnica.com

CVE-2023-38291 - An issue was discovered in a third-party component related to ro.boot.wifimacaddr, shipped on devices from multiple device manufacturers. Various software builds for the following TCL devices (30Z and 10L) and Motorola devices (Moto G Pure and Moto G ...
1 year ago

Vulnerability Summary for the Week of March 4, 2024 - Published 2024-03-06 CVSS Score not yet calculated Source & Patch Info CVE-2023-52584416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - ...
1 year ago Cisa.gov

Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
1 year ago Cisa.gov

What Is a Privilege Escalation Attack? Types & Prevention - Privilege escalation is a method that threat actors use to increase their access to systems and data that they aren't authorized to see. This guide to privilege escalation attacks covers the two main types, the avenues attackers use, and detection ...
1 year ago Esecurityplanet.com LAPSUS$ Turla Whitefly

CVE-2023-38298 - Various software builds for the following TCL devices (30Z, A3X, 20XE, 10L) leak the device IMEI to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party ...
1 year ago

CVE-2023-38301 - An issue was discovered in a third-party component related to vendor.gsm.serial, shipped on devices from multiple device manufacturers. Various software builds for the BLU View 2, Boost Mobile Celero 5G, Sharp Rouvo V, Motorola Moto G Pure, Motorola ...
1 year ago

RSA Keys Security: Insights from SSH Server Signing Errors - In the realm of secure communication protocols, RSA keys play a pivotal role in safeguarding sensitive information. Recently, a group of researchers from prominent universities in California and Massachusetts uncovered a vulnerability in the SSH ...
1 year ago Securityboulevard.com

CVE-2024-52308 - The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0. Developers connect to ...
9 months ago Tenable.com

CVE-2023-38297 - An issue was discovered in a third-party com.factory.mmigroup component, shipped on devices from multiple device manufacturers. Certain software builds for various Android devices contain a vulnerable pre-installed app with a package name of ...
1 year ago

Hackers Attacking Linux SSH Servers to Deploy Scanner Malware - Hackers often target Linux SSH servers due to their widespread use in hosting critical services, and the following loopholes make them vulnerable, providing opportunities to hackers for unauthorized access and potential exploitation:-. Cybersecurity ...
1 year ago Gbhackers.com

New Outlaw Linux Malware Leveraging SSH Brute-Forcing & Corn Jobs to Maintain Persistence - This malware has demonstrated remarkable longevity in the threat landscape by leveraging simple yet effective tactics such as SSH brute-forcing, strategic persistence mechanisms, and cryptocurrency mining operations to maintain a growing botnet of ...
5 months ago Cybersecuritynews.com

9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com

Linux 'io_uring' security blindspot allows stealthy rootkit attacks - The flaw was discovered by ARMO security researchers who developed a proof-of-concept rootkit called "Curing" to demonstrate the practicality and feasibility of attacks leveraging io_uring for evasion. The researchers explain that io_uring supports a ...
4 months ago Bleepingcomputer.com

Debian and Ubuntu Fixed OpenSSH Vulnerabilities - Debian and Ubuntu have released security updates for their respective OS versions, addressing five flaws discovered in the openssh package. In this article, we will delve into the intricacies of these vulnerabilities, shedding light on their nature ...
1 year ago Securityboulevard.com CVE-2021-41617

CVE-2023-38296 - Various software builds for the following TCL 30Z and TCL A3X devices leak the ICCID to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from ...
1 year ago

SonicWall SMA devices hacked with OVERSTEP rootkit tied to ransomware - It is unclear how the hackers obtained initial access, but researchers investigating UNC6148 attacks noticed that the threat actor already had local administrator credentials on the targeted appliance. With shell access on the appliance, the threat ...
1 month ago Bleepingcomputer.com Abyss Hunters

CVE-2023-48795 - The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client ...
9 months ago

Attackers Targeting Poorly Managed Linux SSH Servers - In recent times, Linux SSH servers have become a prime target for attackers aiming to compromise security and exploit vulnerabilities for malicious activities. This article delves into the growing concern surrounding poorly secured Linux SSH servers, ...
1 year ago Securityboulevard.com

IT and OT cybersecurity: A holistic approach - In comparison, OT refers to the specialized systems that control physical processes and industrial operations. OT Technologies include industrial control systems, SCADA systems and programmable logic controllers that directly control physical ...
1 year ago Securityintelligence.com