Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
The appearance of the rootkit code on GitHub will open a new round of confrontation with hackers.
Researchers from Gen Threat Labs have identified a new sophisticated Snapekit rootkit that targets the Arch Linux system version 6.10.2-arch1-1 on the x86_64 architecture. Snapekit allows attackers to gain unauthorized access to and control a system while remaining undetected.
A rootkit injects itself into the operating system by intercepting and modifying 21 system calls, a mechanism for communication between applications and the operating system kernel. Snapekit uses a special dropper for deployment. The rootkit is able to recognize and avoid popular analysis and debugging tools such as Cuckoo Sandbox, JoeSandbox, Hybrid-Analysis, Frida, Ghidra and IDA Pro. When one of the tools is detected, Snapekit changes its behavior to avoid detection.
Snapekit's main job is to hide malicious code by staying in user space, rather than in the more controlled kernel space. This approach makes threat detection and analysis much more difficult. In addition, the rootkit uses PTrace's security mechanisms to detect debugging attempts, which adds complexity to analysts and information security specialists.
Snapekit has multi-layered crawling tools that not only avoid automated analysis tools (sandboxes and virtual machines), but also make manual analysis difficult. The creator of the rootkit, known under the nickname Humzak711, plans to publish the Snapekit open-source project on GitHub soon.
Snapekit's powerful security mechanisms include code obfuscation, anti-debugging techniques, and runtime detection. Thanks to these features, the rootkit stands out from other malware. Security professionals are encouraged to prepare more sophisticated analysis environments using advanced sandboxes, debugger bypasses, and collaborative analytics platforms to counter emerging threats.
Source
Researchers from Gen Threat Labs have identified a new sophisticated Snapekit rootkit that targets the Arch Linux system version 6.10.2-arch1-1 on the x86_64 architecture. Snapekit allows attackers to gain unauthorized access to and control a system while remaining undetected.
A rootkit injects itself into the operating system by intercepting and modifying 21 system calls, a mechanism for communication between applications and the operating system kernel. Snapekit uses a special dropper for deployment. The rootkit is able to recognize and avoid popular analysis and debugging tools such as Cuckoo Sandbox, JoeSandbox, Hybrid-Analysis, Frida, Ghidra and IDA Pro. When one of the tools is detected, Snapekit changes its behavior to avoid detection.
Snapekit's main job is to hide malicious code by staying in user space, rather than in the more controlled kernel space. This approach makes threat detection and analysis much more difficult. In addition, the rootkit uses PTrace's security mechanisms to detect debugging attempts, which adds complexity to analysts and information security specialists.
Snapekit has multi-layered crawling tools that not only avoid automated analysis tools (sandboxes and virtual machines), but also make manual analysis difficult. The creator of the rootkit, known under the nickname Humzak711, plans to publish the Snapekit open-source project on GitHub soon.
Snapekit's powerful security mechanisms include code obfuscation, anti-debugging techniques, and runtime detection. Thanks to these features, the rootkit stands out from other malware. Security professionals are encouraged to prepare more sophisticated analysis environments using advanced sandboxes, debugger bypasses, and collaborative analytics platforms to counter emerging threats.
Source
