Diamorphine is a threat actor identified in cybersecurity as an entity executing actions with malicious intent. This Linux kernel rootkit has been used to compromise systems by hiding processes and creating backdoors for stealth and root privileges. It downloads, compiles, and installs two open-source rootkits, Diamorphine and Reptile, available on GitHub on supported systems. Depending on the attacker's sophistication level, they may try to escape to the host or realize they're in a Kubernetes environment and attempt to exploit it. While Diamorphine has occasionally been used to compromise Kubernetes clusters, Kubernetes-focused rootkits have not yet become popular.
The code for Krasue appears to be based on the rootkits Diamorphine, Suterusu, and Rooty. Group-IB reported that the script installs the Diamorphine rootkit for stealth and root privileges while using custom tools to maintain persistence and control. It modifies file attributes, creates a backdoor user with root access, and erases command history to hide its activities. The malware embeds seven compiled versions of its rootkit, which exhibits traits of three open-source loadable kernel module (LKM) rootkits: Diamorphine, Suterusu, and Rooty.
Diamorphine rootkit has also been implicated in attacks involving command execution on compromised Jupyter Notebooks. According to Cado Security Labs, this facilitated the deployment and persistence of cryptocurrency mining malware, along with the execution of the Diamorphine rootkit for Google Cloud and Amazon Web Services credential exfiltration and malicious activity obfuscation capabilities. Additional payloads of open-source rootkits like Diamorphine and Reptile, found on GitHub, are also deployed to exfiltrate data and obfuscate the malicious activity in the victim's environment by deleting records and system logs.
Description last updated: 2024-09-19T12:16:57.139Z