FortiGuard experts have identified a rootkit targeting CentOS Linux users. The threat exploits vulnerabilities within systems, granting attackers full remote access to compromised devices. The malicious code consists of a kernel module (sysinitd.ko), an executable file (sysinitd), and an installation script (Install.sh), designed to ensure the rootkit’s stealth and persistence.
The infection begins with the execution of the script, which implants the malicious files into the system and registers them for autostart. The kernel module then creates three entries in /proc, enabling attackers to interact with the system. Particularly alarming is the rootkit’s ability to disguise itself as a standard bash shell process, making detection by administrators significantly more challenging.
Analysis revealed that the rootkit leverages Netfilter to intercept incoming network traffic at the kernel level. Attackers establish a connection by sending a specifically crafted packet, triggering the interaction process. Once connected, they gain superuser privileges, allowing them to execute commands, download data, modify configurations, and manage processes.
Fortinet has already safeguarded its clients by updating antivirus signatures to detect Install.sh, sysinitd.ko, and sysinitd. These updates are available across FortiGate, FortiMail, FortiClient, and FortiEDR products. The malicious files are classified as BASH/Injector.CSA!tr and ELF64/Injector.CSA!tr.
Experts recommend that CentOS users bolster their security systems and routinely review logs for suspicious activity. Additionally, maintaining up-to-date antivirus databases and conducting regular security audits is strongly advised to mitigate such threats.
