It’s been almost a year, but this Elastic Security write-up on the r77 rootkit popped up on my radar recently, so I thought it would be useful to do a walk-through of how someone with my background would mine open reporting such as this for actionable intel.
In this case, the r77 rootkit is described as an “open source userland rootkit used to deploy the XMRig crypto miner”. I’ve seen XMRig before (several times), but not deployed alongside a rootkit.
The purpose of a rootkit is to hide stuff. Anyone who was around in the late ’90s and early 2000s is familiar with the term “rootkit” and what it means. From the article, “r77’s primary purpose is to hide the presence of other software on a system by hooking important Windows APIs, making it an ideal tool for cybercriminals looking to carry out stealthy attacks. By leveraging the r77 rootkit, the authors of the malicious crypto miner were able to evade detection and continue their campaign undetected.“
My point in sharing this definition/explanation is because many of us will see this, or generally accept that a rootkit is involved, and then not think critically about what we’re seeing, but more importantly, what we’re not seeing. For example, in this case, the Elastic Security write-up
The installer module is described as being written to the Registry, which is a commonly observed technique, especially when it comes to “fileless malware”. The ar
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from Windows Incident Response
Read the original article: