View Categories

Snapekit detection with Argus

3 min read

Overview #

The Snapekit rootkit was reported by Gen Threat Labs on October 2, 2024. Snapekit specifically targets Arch Linux (6.10.2-arch1-1 x86_64) but can potentially impact other Linux distributions. This document demonstrates how Argus detects Snapekit and similar Linux kernel-mode rootkits.

Static Analysis of Snapekit #

Sample Details #

Hash Type: |  Value:

MD5            | 18c23bc9e6dbba7f3cadd59687685718

SHA1          | 00a38e5fd7e3303c23596f0ebdbd1f0e3b481ab3

SHA256      | 2600eb7673dddacda0e780bf3b163b0b89b41f9925eebbd2a2b3dfa234bc1a22

Static analysis revealed Snapekit embedded in a dropper program with sandbox evasion capabilities. The dropper unpacks and loads Snapekit (snapekit.ko) only if it confirms it is not running within a sandbox environment.

Key Findings #

Spoofed Process Name: The dropper spoofs the kworker process name.

Linux Capabilities Check: The dropper escalates privileges by manipulating Linux capability flags.

Rootkit Unpacking: Snapekit is unpacked as snapekit.ko in /lib/modules/ and loaded into the kernel.

Simulating Snapekit Infection #

Requirements #

Argus Central Components: Version 4.9.1 (server, indexer, dashboard).

Arch Linux Endpoint: Version 6.10.2-arch1-1 x86_64 with Argus agent installed and enrolled.

Ensure the Linux CONFIG_MODULE_SIG feature is enabled on the Arch Linux endpoint.

Checking Kernel Version #

Run the following command:

uname -r

Output:

6.10.2-arch1-1

Simulating Infection #

1. Unpacking Snapekit:

Use the provided Python script to manually extract the Snapekit rootkit:

   #!/usr/bin/env python3

   from elftools.elf.elffile import ELFFile

   def unpack_data_from_elf(file_path, start_address, length):

       with open(file_path, ‘rb’) as f:

           elffile = ELFFile(f)

           section = elffile.get_section_by_name(‘.data’)

           if section is None:

               print(‘No .data section found in ELF file.’)

               return

           section_offset = section[‘sh_offset’]

           file_offset = start_address – section[‘sh_addr’] + section_offset

           f.seek(file_offset)

           data = f.read(length)

           with open(‘snapekit.ko’, ‘wb’) as output_file:

               output_file.write(data)

           print(f’Data extracted to snapekit.ko, length: {length} bytes.’)

   # Define the parameters

   file_path = ‘/home/user1/snapekit/2600eb7673dddacda0e780bf3b163b0b89b41f9925eebbd2a2b3dfa234bc1a22.elf’

   start_address = 0x5100

   length = 0xc4df8

   # Run the function

   unpack_data_from_elf(file_path, start_address, length)

   Install pyelftools and execute the script:

   pacman -S python-pyelftools

   python3 unpack.py

   Output:

   Data extracted to snapekit.ko, length: 806392 bytes.

2. Verify Infection:

   – Check the /lib/modules/ directory:

     ls -l /lib/modules/

     Output:

     total 792

     drwxr-xr-x 4 root root   4096 Oct  8 20:43 6.10.2-arch1-1

     -rwxr-xr-x 1 root root 806392 Oct 10 10:25 snapekit.ko

   – Verify the kernel module:

     lsmod | grep snapekit

     Output:

     snapekit               28672  0

   – Confirm Snapekit in the kernel symbol table:

     cat /proc/kallsyms | grep snapekit

Detection with Argus #

Argus Rule for Unsigned Kernel Modules #

Argus detects Snapekit by identifying unsigned kernel modules loaded into the kernel. This detection relies on the Linux CONFIG_MODULE_SIG feature. When Snapekit is loaded, Argus triggers an alert.

1. Verify CONFIG_MODULE_SIG:

Run the following command on the endpoint:

   zgrep CONFIG_MODULE_SIG /proc/config.gz

   Output:

   CONFIG_MODULE_SIG_FORMAT=y

   CONFIG_MODULE_SIG=y

   # CONFIG_MODULE_SIG_FORCE is not set

   CONFIG_MODULE_SIG_ALL=y

   CONFIG_MODULE_SIG_SHA512=y

   CONFIG_MODULE_SIG_KEY=”certs/signing_key.pem”

2. View Alerts:

Navigate to the Argus dashboard and view alerts generated by rule ID 5132. Use the following query:

data.os.alert.id:5132

The alert indicates that the Snapekit module failed the signature verification, marking the kernel as potentially compromised.

By following this guide, you can effectively detect Snapekit and similar rootkits using Argus. This approach enhances your ability to secure Linux endpoints against advanced threats.

Leave a Reply

Your email address will not be published. Required fields are marked *