What is a Rootkit? Exploring the Hidden Threats and Their Impact on System Security

Introduction

• Sygnia recently published a blog post describing the return of Ghost Emperor, a China-Nexus threat group that was disclosed by Kaspersky in 2021 and not been observed since.
• Ghost Emperor is known for using a rootkit dubbed “Demodex” to operate in stealth mode in order to evade security platforms and personnel.
• During an investigation in late 2023, the Sygnia team identified a new infection chain of Ghost Emperor leading to the deployment of Demodex.
• Rootkits are among the most sophisticated and complex tools used by threat actors, mainly state-sponsored groups, that wish to stay under the radar of security tools and people for a prolonged period of time
• In this article we will explain what rootkits are, the motivation to use them, the different types of rootkits, ways to mitigate them and more.

What is a rootkit?

• A rootkit is a type of malicious software used to obtain and maintain privileged access to a computer or system, while hiding its presence and activities from system’s legitimate users, system administrators and other security mechanisms.
• The term “rootkit” is derived from “root” – a Unix term for privileged user, and “kit” – the software allowing access.
• Rootkits usually lie deep in the core system within its kernel space or within the bootloader, but can also be in the user space.

Motivation for using rootkits

Rootkits are highly appealing for threat actors as they can operate deep in the system, allowing them to execute high-privileged commands and operations. With these privileges, rootkits conceal the presence of malware, such as files, processes, registry keys, services, and network activities from both security teams and security platforms, making their detection extremely difficult.

Rootkits can maintain persistence on infected systems, ensuring threat actors retain control over an extended period. By operating deep in the system, they are capable of disabling security products, thereby neutralizing any protective measures the target might have in place. In addition to these capabilities, rootkits can spy on the target’s activities, capture sensitive information and monitor communications, further amplifying the potential damage they can inflict.

How do rootkits get installed onto devices?

A machine can become infected with a rootkit through various methods:

• Bundled with other malware – Often, rootkits come packaged with other malicious software like trojans or worms. When a user downloads and executes what appears to be a legitimate program, the malware installs it covertly.
• Exploited software vulnerabilities – Attackers leverage code vulnerabilities to gain unauthorized privileged access to install rootkits that remain covert and persistent.
• Social engineering attacks (e.g., phishing emails, malicious downloads) – Attackers trick users into clicking on malicious links or downloading infected attachments, leading to the installation of malicious code that can result in a rootkit installation.
• Supply chain attacks – A rootkit can be installed on a target’s device through a supply chain attack, where the rootkit is introduced during the manufacturing, distribution, or updating process of a product.
• Physical access to targeted device – With physical access to a device, an attacker can install a rootkit directly by logging into the system and executing the installation program. This might involve exploiting existing vulnerabilities or using known credentials to gain administrative access.

What are the different types of rootkits?

• User-mode rootkit:
  • A user-mode rootkit operates within the user space of the operating system.
  • This rootkit modifies the running processes and user-mode applications by injecting malicious code or hooking internal system functions.
  • User-mode rootkits are typically less persistent than lower-level types, as they can be removed by terminating the infected processes or by rebooting the system.
  • User-mode rootkits often target specific applications or processes, such as web browsers, security software, or system utilities, to modify their behavior or extract sensitive information.
• Kernel-Mode rootkit:
  • A kernel-mode rootkit operates within the kernel space of an operating system.
  • These rootkits modify the kernel itself by injecting malicious code or hooking kernel functions and data structures.
  • Kernel-mode rootkits manipulate the operating system’s kernel to gain complete control over the infected machine, allowing them to perform various malicious activities and conceal their presence from user-mode applications and utilities.
  • Creating kernel-mode rootkits is considered challenging due to security mitigations implemented in modern operating system kernels, such as PatchGuard, Driver Signature Enforcement, and KASLR.
• Hypervisor:
  • This rootkit lies within the hypervisor layer of a virtualized environment.
  • It typically exploits vulnerabilities in virtualization software to gain control over the virtual machines running on top of the hypervisor.
  • Hypervisor rootkits operate at an even higher privilege level than kernel-mode rootkits, as they reside in the hypervisor, which is responsible for managing and controlling the virtual machines.
  • These rootkits do not have to modify the guest operating system kernel of the targeted virtual machine to control it – as they can intercept and manipulate the entire virtualized environment from the hypervisor layer.
• Bootkit:
  • This type of rootkit lies within the bootloader, which is the code responsible for booting the operating system at startup.
  • The bootloader is located depending on whether the system uses UEFI or legacy BIOS.
    • For UEFI, the bootloader is located on the disk in a special partition called ESP (EFI System Partition).
    • For legacy BIOS, the bootloader is located at the first sector of the disk, called Master Boot Record (MBR).
  • Bootkits usually modify the bootloader code with their own malicious code, allowing them to take control over the machine. They are considered very stealthy and evasive, as they remain persistent even after a reinstallation of the operating system.

Examples of High-Profile Rootkits

• Demodex:
  • Demodex is a kernel-mode rootkit known to be used by the China-Nexus threat group GhostEmperor, as published by Kaspersky in 2021.
  • According to that blog, after gaining access to corporate networks in South Asia, Demodex was used by the group to operate while hiding their presence.
  • Demodex employs a technique that involves installing CheatEngine, a freeware driver mostly used to cheat in computer games, in order to manipulate infected machines’ memory.
  • The threat actors use CheatEngine to manipulate its own functionality by hooking its functions and allowing it to inject the malicious Demodex code into the system kernel, thus installing the rootkit.
• FudModule:
  • FudModule is a kernel-mode rootkit known to be used by the North-Korean Lazarus group.
  • FudModule can disable security monitoring of infected systems by using a zero-day exploit in a built-in Windows driver.
  • By exploiting this vulnerability, FudModule can successfully install itself as a kernel-mode rootkit, granting it unrestricted access to the compromised system.
• Glupteba:
  • Glupteba is a botnet that employs a sophisticated bootkit to gain persistent access to infected systems.
  • The bootkit component of Glupteba allows it to intervene and control the operating system boot process.
  • Glupteba incorporates a modified version of an open-source project called EfiGuard, which has the capability to disable Windows security features such as PatchGuard and Driver Signature Enforcement (DSE) during the boot process.
  • By disabling these protections, the rootkit can successfully load and execute its malicious payload before the operating system fully initializes.

How can we detect and remove a rootkit?

• Use specialized rootkit detection tools and scanners.
• Boot from a trusted live environment (e.g., a bootable Linux USB) and scanning the system.
• Deeply monitor system behavior and scanning for signs of a compromise.
• Restore system from a known clean backup or re-installing the operating system.

How can we prevent rootkits?

• Keep software up-to-date and routine patching of known vulnerabilities
• Use robust antivirus and anti-malware solutions
• Implement application whitelisting and restricting software installations
• Harden systems and disabling unnecessary services
• Monitor and audit system logs for suspicious activities
• Practice good cybersecurity hygiene (e.g., avoid suspicious links, downloads, and phishing attempts)