Diamorphine

Threat Actor updated 15 days ago (2024-11-29T13:56:05.491Z)
Download STIX
Preview STIX
Diamorphine is a threat actor identified in cybersecurity as an entity executing actions with malicious intent. This Linux kernel rootkit has been used to compromise systems by hiding processes and creating backdoors for stealth and root privileges. It downloads, compiles, and installs two open-source rootkits, Diamorphine and Reptile, available on GitHub on supported systems. Depending on the attacker's sophistication level, they may try to escape to the host or realize they're in a Kubernetes environment and attempt to exploit it. While Diamorphine has occasionally been used to compromise Kubernetes clusters, Kubernetes-focused rootkits have not yet become popular. The code for Krasue appears to be based on the rootkits Diamorphine, Suterusu, and Rooty. Group-IB reported that the script installs the Diamorphine rootkit for stealth and root privileges while using custom tools to maintain persistence and control. It modifies file attributes, creates a backdoor user with root access, and erases command history to hide its activities. The malware embeds seven compiled versions of its rootkit, which exhibits traits of three open-source loadable kernel module (LKM) rootkits: Diamorphine, Suterusu, and Rooty. Diamorphine rootkit has also been implicated in attacks involving command execution on compromised Jupyter Notebooks. According to Cado Security Labs, this facilitated the deployment and persistence of cryptocurrency mining malware, along with the execution of the Diamorphine rootkit for Google Cloud and Amazon Web Services credential exfiltration and malicious activity obfuscation capabilities. Additional payloads of open-source rootkits like Diamorphine and Reptile, found on GitHub, are also deployed to exfiltrate data and obfuscate the malicious activity in the victim's environment by deleting records and system logs.
Description last updated: 2024-09-19T12:16:57.139Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Rootkit
Linux
Github
Malware
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Krasue Malware is associated with Diamorphine. Krasue is a newly discovered malware that specifically targets Linux systems. Identified by cybersecurity researchers at Group-IB, this malicious software has been found to be primarily focused on telecom companies in Thailand. As with most malware, Krasue enters systems without the user's knowledgeUnspecified
2
Source Document References
Information about the Diamorphine Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
3 months ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
DARKReading
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
DARKReading
a year ago