TripleCross First Release

Changelog

eBPF rootkit code base

• User space rootkit program
• eBPF programs configurator
• Libbpf-powered eBPF programs in the kernel

Library injection module

• Injection of libraries via GOT hijacking
• Code caver module added using proc filesystem
• Malicious library added

Execution hijacking module

• Tampering with sys_execve syscalls
• Malicious program to inject added

Backdoor and C2

• New backdoor triggers:
  • Keyword-based
  • Pattern-based
  • Multi-packet
• TC and XDP programs
• 3 shells included:
  • Plaintext pseudo-shell
  • Encrypted pseudo-shell
  • Phantom pseudo-shell

Rootkit client

• Multiple commands and pseudo-shells added for a remote client to connect with the backdoor

Persistence module

• Added rootkit persistence across reboots via Cron and sudoers

Stealth module

• Added rootkit files and directories hiding via getdents hijacking