Researchers at ANY.RUN have discovered a complex attack using the Diamorphine rootkit to install a crypto miner on Linux systems, showing how open-source tools are being misused in cyberattacks.
Their analysis reveals a multi-stage attack with advanced methods to stay hidden and maintain access, making it a serious threat to Linux environments.
The attack uses a fake Python script to install the Diamorphine rootkit, which works on various Linux systems and hides its activity by intercepting system calls. It begins by installing needed tools and killing other crypto miners to free up resources.
Next, it downloads three malicious files: a hidden crypto miner named python-3.7.3.so, a mining tool called cloud, and the rootkit package python37.tar.
To stay hidden and keep running, the script replaces the /bin/ps tool, adds a systemd service to restart the miner after reboot, and loads the Diamorphine rootkit into the system.
It also steals SSH keys to spread to other machines on the network. To cover its tracks, it deletes system logs.
The attack uses three layers to avoid detection: it hides processes, loads a rootkit, and blocks system tools from seeing it. This makes it very hard to find or remove, even with standard tools like lsmod or rmmod.
Open-Source Tools Turned Threats: Diamorphine Rootkit Campaign
The Diamorphine rootkit and crypto miner used in this attack were both built from open-source code found on GitHub—highlighting how freely available tools can be turned into powerful malware. Originally created by GitHub user “m0nad,” Diamorphine has been repurposed by attackers to avoid detection and gain deep access to Linux systems.
The malware spreads by stealing SSH keys from infected machines, allowing it to move through networks and infect more systems. It also kills off other crypto miners, showing how attackers compete for control of compromised devices.
ANY.RUN’s Linux sandbox provided detailed insight into the malware’s behavior, including how it hides, persists, and spreads. Their report includes Indicators of Compromise (IOCs) and a TI Lookup query to help defenders detect the threat.
This campaign shows how Linux systems—used widely in servers, cloud setups, and IoT devices—are becoming prime targets. The use of open-source rootkits and advanced hiding techniques makes these attacks harder to detect and stop.
ANY.RUN recommends using advanced analysis tools like theirs, keeping systems updated, monitoring SSH activity, and securing sensitive data with tools like GitHub Actions’ Secrets or HashiCorp Vault. Code scanning tools like TruffleHog can also help find exposed credentials.
As Linux malware becomes more advanced, this attack is a clear reminder of the growing need for strong defenses and constant vigilance.
Leave A Comment