Cybersecurity researchers at ANY.RUN have uncovered a sophisticated attack leveraging the Diamorphine rootkit to deploy a cryptocurrency miner on Linux systems, highlighting the growing misuse of open-source tools in malicious campaigns. By replacing the ps utility, installing the Diamorphine rootkit, and loading a library that intercepts system calls, the malware effectively hides its processes and activities from standard monitoring tools. ANY.RUN recommends leveraging tools like their platform for in-depth analysis, alongside proactive measures such as regular system updates, network monitoring for unusual SSH activity, and robust secrets management using solutions like GitHub Actions’ Secrets or HashiCorp Vault. The attack begins with a forked script, masquerading as a Python file, which deploys the Diamorphine rootkit—a Loadable Kernel Module (LKM) designed for Linux kernels across versions 2.6.x to 6.x on x86, x86_64, and ARM64 architectures. This layered approach makes detection and removal particularly challenging, as the rootkit becomes nearly invisible to traditional system utilities like lsmod—a problem exacerbated by the rootkit’s use of the list_del function, which removes it from the kernel module list, rendering rmmod ineffective. The Diamorphine rootkit is then loaded into the kernel, enabling it to manipulate system calls and further obscure the miner’s presence. The Diamorphine rootkit and the miner are both built from open-source code hosted on GitHub, a platform increasingly exploited by malicious actors. To ensure persistence, the script replaces the /bin/ps utility to hide its processes and establishes a systemd service, allowing the miner to restart after system reboots. The detailed analysis with ANY.RUN Sandbox exposes a multi-stage attack that employs advanced persistence and evasion techniques, posing a significant threat to Linux-based environments. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The rootkit intercepts system calls to conceal its activities while executing a carefully orchestrated sequence of steps. As Linux-targeted malware grows in sophistication, this Diamorphine rootkit campaign serves as a stark reminder of the need for vigilance.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 07 May 2025 15:34:58 +0000