Diamorphine

Diamorphine is a threat actor, a human entity or group with malicious intent, that has been identified as using sophisticated techniques to compromise system security. This actor utilizes open-source rootkits available on GitHub, namely Diamorphine and Reptile, to infiltrate supported systems. These rootkits are downloaded, compiled, and installed onto the target systems, where they perform various malicious activities. The Diamorphine rootkit, in particular, is used to hide processes, making detection and mitigation more challenging for cybersecurity personnel. This threat actor exhibits a high level of sophistication, capable of identifying when they're inside a container or virtual machine and attempting to escape to the host. Diamorphine has been occasionally used to compromise Kubernetes clusters, although Kubernetes-focused rootkits have not yet gained popularity. Another rootkit, Krasue, appears to be based on Diamorphine, Suterusu, and Rooty. It showcases traits of these three open-source loadable kernel module (LKM) rootkits, indicating a potential link between these threat actors. Diamorphine's attacks have involved command execution on compromised Jupyter Notebooks to fetch a shell script that facilitates cryptocurrency mining malware deployment and persistence. This also enables the execution of the Diamorphine rootkit with Google Cloud and Amazon Web Services credential exfiltration capabilities, further obfuscating the malicious activity. In addition to Diamorphine, other open-source rootkits such as Reptile are deployed as additional payloads to exfiltrate data and delete records and system logs. A trojanized OpenSSH binary distributed alongside a backdoor shell script aids in deploying patches that obtain device passwords and SSH connection keys, leading to the installation of the Reptile and Diamorphine LKM rootkits.