New Sophisticated Rootkit Targeting Arch Linux

A rootkit is a type of malicious software that is primarily designed to provide unauthorized access and control over a computer system while hiding its presence.

They can be difficult to detect and remove as they operate at a low level within the operating system.

Their hiding capabilities enable the threat actors to perform several illicit activities like manipulating system functions, stealing data, and deploying additional malware without detection.

Gen Threat Labs researchers recently discovered a new sophisticated rootkit that was found targeting Arch Linux and this new sophisticated rootkit has been dubbed “Snapekit.”

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

New Snapekit Rootkit Malware

Snapekit is a sophisticated and stealthy rootkit that was specifically engineered to target “Arch Linux” systems running version “6.10.2-arch1-1” on “x86_64 architecture.”

This advanced malware manipulates the system by “hooking” (intercepting and modifying) “21 different system calls,” which are basic communications between programs and the “kernel” of the operating system. 

To maintain stealth, Snapekit employs a “user-space dropper” (‘a deployment tool’) that actively scans for and evades common security analysis tools and debuggers like “Cuckoo Sandbox,” “JoeSandbox,” “Hybrid-Analysis,” “Frida” (a dynamic instrumentation toolkit), “Ghidra” (NSA’s reverse engineering tool), and “IDA Pro” (Interactive Disassembler). 

When any of these analysis tools are detected, Snapekit intelligently alters its behavior to avoid detection.

This helps the rootkit to hide its malicious payload while operating entirely within the user space rather than the more closely monitored kernel space, which makes it challenging to “detect” and “analyze.”

The advanced malware dropper demonstrates sophisticated anti-analysis capabilities by implementing “PTrace” (‘Process Trace’) detection mechanisms, which actively identify and flag any debugging attempts made against it. 

This security measure is combined with “multiple layers” of evasion techniques which makes it resistant to both “automated analysis tools” (like “sandboxes” and “virtual machines”) and “manual reverse engineering” efforts by security researchers. 

The creator of the malware known as “Humzak711” has indicated plans to release the complete project of “Snapekit,” as open-source code on the GitHub platform. 

It’s a development that could have significant implications for both cybersecurity researchers and threat actors. 

The robust defense mechanisms of the malware offer “code obfuscation,” “anti-debugging routines,” and “runtime environment detection,” which makes it an unique model in the current threat landscape. 

Security researchers are advised to prepare comprehensive analysis environments with “advanced sandboxing tools,” “debugger bypass techniques,” and “collaborative analysis frameworks” to effectively analyze this threat when it becomes available.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar

Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.