WatchGuard Blog

How to prevent a rootkit attack before it is too late?

A rootkit is a malicious software program that helps cybercriminals infiltrate a system and take control. Hackers use rootkits to carry out espionage, data theft, deploy other malware such as ransomware, and all without leaving a trace. Once a rootkit is installed on a device, it can intercept system calls, replace software and processes and be part of a larger exploit kit containing other modules such as keyloggers, data theft malware, or even cryptocurrency mining malware.  

However, these types of programs are difficult to develop, as they require time and money to create. Hence most rootkit-based attacks are associated with advanced persistent threat (APT) groups, as they have the skills and resources to develop this form of malware. As a result, they tend to select high-value targets for both financially motivated and espionage-based attacks.  

A study analyzing the evolution and use of rootkits to carry out cyberattacks revealed that in 56% of cases cybercriminals use this software to attack high-profile individuals such as top-ranking officials, diplomats, or employees of organizations that are attractive to hackers. In terms of the sectors most targeted by these threats, government institutions rank first (44%), followed by research institutes (38%), telecommunications operators (25%), industrial companies (19%), and financial organizations (19%).  

The study also showed that rootkits are often spread through social engineering tactics, particularly through the use of phishing (69%) and exploiting vulnerabilities (62%).  

Rootkit Types 

There are three types of rootkits that are classified according to the level of privileges obtained, and these are as follows: 

  • Kernel-mode rootkits: this type of rootkit operates at the kernel level, so it has the same privileges as the operating system. They are designed as device drivers or loadable modules. Their development is complicated since an error in the source code can affect the system's stability, making the malware evident.  

  • User-mode rootkits: this type is simpler to develop than kernel mode, as less precision and knowledge are required to design them, so they are usually used in massive attacks. These rootkits operate with fewer privileges, although they can intercept system calls and substitute the values returned by APIs and applications to gain control of the machine. 

  • Combined rootkits: these types of rootkits are designed to combine both operation modes and act at both levels.  

During the fall of 2021, the North Korean Lazarus group conducted a rootkit deployment campaign that targeted an aerospace company employee in the Netherlands and a political journalist in Belgium. Both targets were contacted with employment opportunities for a prestigious company and sent documents attached with the supposed job offer. One of them received it via LinkedIn and the other via email. However, opening the files triggered a series of attacks. According to the investigators of this case, who disclosed their findings in September this year, the most striking incident was a rootkit module that exploited a vulnerability in Dell device drivers to gain the ability to read and write kernel memory.  

How do you protect your business from this type of attack?  

Although this type of threat is designed to avoid detection, there are solutions capable not only of detecting it, but also containing and blocking it. WatchGuard Firebox devices include three advanced functions capable of identifying and stopping this malware:  

  • APT Blocker: this sandbox technology can detect the rootkit even before it accesses the system. It analyzes behavior to determine if a file is malicious by identifying and sending suspicious files to a Cloud-based sandbox that emulates execution and analyzes the file's code. If the file is malicious, APT takes action and blocks it to secure the network.  

  • Artificial intelligence-powered malware defense: is designed to identify threats by breaking down millions of files into their fundamental components, and then analyzing the characteristics of each in combination to identify indicators of malicious intent. If malware is detected, the file is blocked before it is executed. 

  • Visibility in the Cloud: With rootkit attacks, it is important to have full visibility into the network to analyze anomalies. This enables in-depth exploration according to the detailed information in the reports generated by the platform.  

Cybercriminals can be highly resourceful when it comes to carrying out professionalized threats, but they can still be thwarted. The key is to protect corporate networks with appropriate solutions that can stop rootkit attacks before it is too late.