Mob CC is a post-exploitation framework containing a Linux kernel rootkit, C2 server, and Reverse shell with network scanning capabilities.
This post-exploitation framework is for learning purposes, and everything is ready to use. Install the libraries, Deploy the server, and install rootkits inside the system using the listed commands. After installing the kernel rootkit and deploying the C2 server, you can observe how the rootkit causes internal system settings to change automatically.
Linux Kernel Rootkits are malicious programs that target the Linux Kernel to take over a compromised machine and access confidential information. The purpose of rootkits is to prevent operating system utilities and security systems from detecting their presence or detecting their activity. To conceal processes, files, network connections, and other signs of compromise, they can alter the behavior of the kernel or other components of the operating system.
Developing a kernel rootkit is easy when we know how the kernel works, what system calls are, and how user-level programs communicate with the kernel to perform some specific functionalities. You need to know what the kernel is doing to ensure your rootkit or driver can achieve its task successfully.
I won’t provide the process to develop the rootkits and C2 server in this article, but there are many Books and tutorials on how to create Linux kernel modules or rootkits and how to protect against them. Still, to find some good resources, you need to research more. You can refer to this website to develop your own Linux kernel rootkit.
To understand rootkits, we first need to understand system calls.
A system call is a method for a computer program to request a service from the kernel of the operating system on which it is running. The Applications run in an area of memory known as user space. A system call connects to the operating system’s kernel, which executes in kernel space. When an application creates a system call, it must first obtain permission from the kernel. It achieves this using an interrupt request, which pauses the current process and transfers control to the kernel. If the request is permitted, the kernel performs the requested action, like creating or deleting a file. As input, the application receives the kernel’s output. The application resumes the procedure after the input is received. When the operation is finished, the kernel returns the results to the application and then moves data from kernel space to user space in memory.
The core elements of an attacker’s command and control architecture are Command and Control (C2) servers, sometimes referred to as C&C servers or C2 nodes, which are used to manage compromised systems, accept orders, and exfiltrate data. These servers are the central communication hub between attackers and compromised systems or malware-infected devices. Through the C2 server, attackers can send commands, update malware, and gather information from infected PCs.
A Backdoor is a secret access point that enables unauthorized users to enter a system despite standard authentication safeguards. A backdoor that performs network scanning and connects to a command and control server from the target system allows attackers to covertly acquire information and increase their level of control in a post-exploitation situation. The backdoor connects with the C2 server, allowing the attacker to send and receive commands from a distance. The backdoor can execute network scans, probe other systems, and discover possible targets for future exploitation by taking advantage of the infected system’s network connectivity. The attacker can map out the network and find more entry points for penetration thanks to the backdoor and C2 server’s facilitation of reconnaissance.
Linux Kernel Rootkit Tested on: Ubuntu 18.04 (Try to test on other versions of Linux)
Install and use this post-exploitation framework for learning and testing purposes. Steps to setup the framework are listed on the GitHub page.
- Open the Command and Control server on your browser.
- If you have already installed the rootkit on the target side then there will be your target device name in device list.
- Select device and connect.
- Send commands and receive responses. You can check the help page for listed additional features.
Linux Kernel Rootkit:
- Use the Makefile to build the module.
- ftracer_helper.h is a helping module trying to override the system calls. (Author: xcellerator)
- Hide and Unhide themselves from modules lists.
- Granting root permissions by updating root credentials.
- Creating and executing the reverse shell/backdoor, which can be used to connect to a C2 server.
Command & Control server:
- Add new devices to the database by auto-collecting IP from the HTTPS requests.
- Connect to the target system via reverse shell/backdoor.
- Send commands and receive responses from the target system via reverse shell.
- Provide a list of every compromised system’s commands and responses.
- Handle requests from multiple compromised systems simultaneously.
Reverse shell / Backdoor:
- When executed, request the C2 server to add this device to the database.
- Establish the connection between the C2 server and the target system.
- Spawn a new reverse shell on demand for different IP addresses provided by the C2 server.
- Scan the network and open ports for potential vulnerabilities in other connected systems.
The Linux kernel rootkit and Command and Control (C2) server project aimed to build covert communication channels for unauthorized access to compromised systems while investigating the potential dangers
and difficulties connected with kernel-level attacks. This project is an educational post-exploitation framework designed for learning purposes, aiming to provide a simulated environment for understanding security vulnerabilities and ethical hacking techniques. The framework offers a range of controlled scenarios where users can simulate exploitation, vulnerability assessment, and various security tasks, fostering a safer and more informed understanding of cybersecurity principles without engaging in malicious activities. Instructions to install and use the framework are mentioned in the GitHub repository. Playing with the kernel without knowing may cause harm to your system. So, If you’re unsure what to do, you should do it on a virtual machine.
Thank you and Happy Hacking…