HCRootkit / Sutersu Linux Rootkit Analysis
Tags
maec-delivery-vectors: Watering Hole
attack-pattern: Data Credentials - T1589.001 Domains - T1583.001 Domains - T1584.001 Junk Data - T1001.001 Malware - T1587.001 Malware - T1588.001 Match Legitimate Name Or Location - T1036.005 Python - T1059.006 Server - T1583.004 Server - T1584.004 Ssh - T1021.004 Indicator Removal On Host - T1070 Rootkit - T1014 Sudo - T1169 Rootkit
Show in Graph
Common Information
Type Value
UUID 8fc55a21-fde5-42eb-bce4-ecf453e0006c
Fingerprint 60158bdb44f7a2ce
Analysis status DONE
Considered CTI value 2
Text language
Published Sept. 23, 2021, midnight
Added to db Aug. 31, 2024, 10 a.m.
Last updated Nov. 17, 2024, 6:49 p.m.
Headline HCRootkit / Sutersu Linux Rootkit Analysis
Title HCRootkit / Sutersu Linux Rootkit Analysis
Detected Hints/Tags/Attributes 59/2/30
Source URLs
Redirection Url
Details Source https://www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis
Details Source https://www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/
URL Provider
Details Provider Source level domain
Details lacework.com www.lacework.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 326 Lacework Blog https://www.lacework.com/lacework_blog.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 2 
ywbgrcrupasdiqxknwgceatlnbvmezti.com
Details Domain 2 
pdjwebrfgdyzljmwtxcoyomapxtzchvn.com
Details Domain 2 
yhgrffndvzbtoilmundkmvbaxrjtqsew.com
Details Domain 2 
wcmbqxzeuopnvyfmhkstaretfciywdrl.name
Details Domain 2 
ruciplbrxwjscyhtapvlfskoqqgnxevw.name
Details Domain 2 
esnoptdkkiirzewlpgmccbwuynvxjumf.name
Details Domain 2 
nfcomizsdseqiomzqrxwvtprxbljkpgd.name
Details Domain 2 
hkxpqdtgsucylodaejmzmtnkpfvojabe.com
Details Domain 2 
etzndtcvqvyxajpcgwkzsoweaubilflh.com
Details Domain 2 
posts.lacework.com
Details File 1 
upload_passwd.pas
Details sha256 1 
602c435834d796943b1e547316c18a9a64c68f032985e7a5a763339d82598915
Details sha256 1 
10c7e04d12647107e7abf29ae612c1d0e76a79447e03393fa8a44f8a164b723d
Details sha256 1 
54b1a9338aa7df8a97fea8da863c615352368f3fc67e3caceb6ee65eb71bdbff
Details sha256 1 
efbd281cebd62c70e6f5f1910051584da244e56e2a3228673e216f83bdddf0aa
Details sha256 1 
6187541be6d2a9d23edaa3b02c50aea644c1ac1a80ff3e4ddd441b0339e0dd1b
Details sha256 1 
19b4ccbd5dedcd355eb6c10eabcf7884a92350717815c4fc02d886bc76ecd917
Details sha256 1 
7e5b97135e9a68000fd3efee51dc5822f623b3183aecc69b42bde6d4b666cfe1
Details sha256 1 
d7ad1bff4c0e6d094af27b4d892b3398b48eab96b64a8f8a2392e26658c63f30
Details sha256 1 
7b48feabd0ffc72833043b14f9e0976511cfde39fd0174a40d1edb5310768db3
Details sha256 1 
2daa5503b7f068ac471330869ccfb1ae617538fecaea69fd6c488d57929f8279
Details IPv4 1441 
127.0.0.1
Details IPv4 2 
172.96.231.69
Details IPv4 2 
47.112.197.119
Details MITRE ATT&CK Techniques 247 
T1070
Details MITRE ATT&CK Techniques 183 
T1036.005
Details Url 1 
https://posts.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis
Details Yara rule 1 
rule linux_mal_hcrootkit_1 {
	meta:
		description = "Detects Linux HCRootkit, as reported by Avast"
		hash1 = "2daa5503b7f068ac471330869ccfb1ae617538fecaea69fd6c488d57929f8279"
		hash2 = "10c7e04d12647107e7abf29ae612c1d0e76a79447e03393fa8a44f8a164b723d"
		hash3 = "602c435834d796943b1e547316c18a9a64c68f032985e7a5a763339d82598915"
		author = "Lacework Labs"
		ref = "https://posts.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/"
	strings:
		$a1 = "172.96.231."
		$a2 = "/tmp/.tmp_XXXXXX"
		$s1 = "/proc/net/tcp"
		$s2 = "/proc/.inl"
		$s3 = "rootkit"
	condition:
		uint32(0) == 0x464c457f and ((any of ($a*)) and (any of ($s*)))
}
Details Yara rule 1 
rule linux_mal_hcrootkit_2 {
	meta:
		description = "Detects Linux HCRootkit Wide, unpacked"
		hash1 = "2daa5503b7f068ac471330869ccfb1ae617538fecaea69fd6c488d57929f8279"
		hash2 = "10c7e04d12647107e7abf29ae612c1d0e76a79447e03393fa8a44f8a164b723d"
		author = "Lacework Labs"
		ref = "https://posts.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/"
	strings:
		$s1 = "s_hide_pids"
		$s2 = "handler_kallsyms_lookup_name"
		$s3 = "s_proc_ino"
		$s4 = "n_filldir"
		$s5 = "s_is_proc_ino"
		$s6 = "n_tcp4_seq_show"
		$s7 = "r_tcp4_seq_show"
		$s8 = "s_hide_tcp4_ports"
		$s9 = "s_proc_open"
		$s10 = "s_proc_show"
		$s11 = "s_passwd_buf"
		$s12 = "s_passwd_buf_len"
		$s13 = "r_sys_write"
		$s14 = "r_sys_mmap"
		$s15 = "r_sys_munmap"
		$s16 = "s_hide_strs"
		$s17 = "s_proc_write"
		$s18 = "s_proc_inl_operations"
		$s19 = "s_inl_entry"
		$s20 = "kp_kallsyms_lookup_name"
		$s21 = "s_sys_call_table"
		$s22 = "kp_do_exit"
		$s23 = "r_sys_getdents"
		$s24 = "s_hook_remote_ip"
		$s25 = "s_hook_remote_port"
		$s26 = "s_hook_local_port"
		$s27 = "s_hook_local_ip"
		$s28 = "nf_hook_pre_routing"
	condition:
		uint32(0) == 0x464c457f and 10 of them
}
Details Yara rule 1 
rule linux_mal_suterusu_rootkit {
	meta:
		description = "Detects open source rootkit named suterusu"
		hash1 = "7e5b97135e9a68000fd3efee51dc5822f623b3183aecc69b42bde6d4b666cfe1"
		hash2 = "7b48feabd0ffc72833043b14f9e0976511cfde39fd0174a40d1edb5310768db3"
		author = "Lacework Labs"
		ref = "https://posts.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/"
	strings:
		$a1 = "suterusu"
		$a3 = "srcversion="
		$a4 = "Hiding PID"
		$a5 = "/proc/net/tcp"
	condition:
		uint32(0) == 0x464c457f and all of them
}