Overview #
The Snapekit rootkit was reported by Gen Threat Labs on October 2, 2024. Snapekit specifically targets Arch Linux (6.10.2-arch1-1 x86_64) but can potentially impact other Linux distributions. This document demonstrates how Argus detects Snapekit and similar Linux kernel-mode rootkits.
Static Analysis of Snapekit #
Sample Details #
Hash Type: | Value:
MD5 | 18c23bc9e6dbba7f3cadd59687685718
SHA1 | 00a38e5fd7e3303c23596f0ebdbd1f0e3b481ab3
SHA256 | 2600eb7673dddacda0e780bf3b163b0b89b41f9925eebbd2a2b3dfa234bc1a22
Static analysis revealed Snapekit embedded in a dropper program with sandbox evasion capabilities. The dropper unpacks and loads Snapekit (snapekit.ko) only if it confirms it is not running within a sandbox environment.
Key Findings #
– Spoofed Process Name: The dropper spoofs the kworker process name.
– Linux Capabilities Check: The dropper escalates privileges by manipulating Linux capability flags.
– Rootkit Unpacking: Snapekit is unpacked as snapekit.ko in /lib/modules/ and loaded into the kernel.
Simulating Snapekit Infection #
Requirements #
– Argus Central Components: Version 4.9.1 (server, indexer, dashboard).
– Arch Linux Endpoint: Version 6.10.2-arch1-1 x86_64 with Argus agent installed and enrolled.
Ensure the Linux CONFIG_MODULE_SIG feature is enabled on the Arch Linux endpoint.
Checking Kernel Version #
Run the following command:
uname -r
Output:
6.10.2-arch1-1
Simulating Infection #
1. Unpacking Snapekit:
Use the provided Python script to manually extract the Snapekit rootkit:
#!/usr/bin/env python3
from elftools.elf.elffile import ELFFile
def unpack_data_from_elf(file_path, start_address, length):
with open(file_path, ‘rb’) as f:
elffile = ELFFile(f)
section = elffile.get_section_by_name(‘.data’)
if section is None:
print(‘No .data section found in ELF file.’)
return
section_offset = section[‘sh_offset’]
file_offset = start_address – section[‘sh_addr’] + section_offset
f.seek(file_offset)
data = f.read(length)
with open(‘snapekit.ko’, ‘wb’) as output_file:
output_file.write(data)
print(f’Data extracted to snapekit.ko, length: {length} bytes.’)
# Define the parameters
file_path = ‘/home/user1/snapekit/2600eb7673dddacda0e780bf3b163b0b89b41f9925eebbd2a2b3dfa234bc1a22.elf’
start_address = 0x5100
length = 0xc4df8
# Run the function
unpack_data_from_elf(file_path, start_address, length)
Install pyelftools and execute the script:
pacman -S python-pyelftools
python3 unpack.py
Output:
Data extracted to snapekit.ko, length: 806392 bytes.
2. Verify Infection:
– Check the /lib/modules/ directory:
ls -l /lib/modules/
Output:
total 792
drwxr-xr-x 4 root root 4096 Oct 8 20:43 6.10.2-arch1-1
-rwxr-xr-x 1 root root 806392 Oct 10 10:25 snapekit.ko
– Verify the kernel module:
lsmod | grep snapekit
Output:
snapekit 28672 0
– Confirm Snapekit in the kernel symbol table:
cat /proc/kallsyms | grep snapekit
Detection with Argus #
Argus Rule for Unsigned Kernel Modules #
Argus detects Snapekit by identifying unsigned kernel modules loaded into the kernel. This detection relies on the Linux CONFIG_MODULE_SIG feature. When Snapekit is loaded, Argus triggers an alert.
1. Verify CONFIG_MODULE_SIG:
Run the following command on the endpoint:
zgrep CONFIG_MODULE_SIG /proc/config.gz
Output:
CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_KEY=”certs/signing_key.pem”
2. View Alerts:
Navigate to the Argus dashboard and view alerts generated by rule ID 5132. Use the following query:
data.os.alert.id:5132
The alert indicates that the Snapekit module failed the signature verification, marking the kernel as potentially compromised.
By following this guide, you can effectively detect Snapekit and similar rootkits using Argus. This approach enhances your ability to secure Linux endpoints against advanced threats.