Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

PoC Linux Rootkit Uses GPU to Evade Detection

The source code for a Linux rootkit that leverages the infected device’s graphics processor unit (GPU) for enhanced stealthiness and efficiency has been published on GitHub.

The source code for a Linux rootkit that leverages the infected device’s graphics processor unit (GPU) for enhanced stealthiness and efficiency has been published on GitHub.

Dubbed Jellyfish, the proof-of-concept malware leverages the LD_PRELOAD technique from the Jynx Linux rootkit and OpenCL, a low-level API developed by Khronos for heterogeneous computing.

According to the developers of Jellyfish, who call themselves Team Jellyfish, one of the main advantages of GPU-based malware is that it’s more likely to evade detection due to the lack of malware analysis tools for such threats.

Another advantage is that this type of malware can “snoop” on the CPU host memory via direct memory access (DMA). Additionally, the GPU is fast and the malicious code remains in its memory even after the device is shut down, the developers said.

The experimental Jellyfish malware is currently designed to run on computers with AMD and NVIDIA graphics cards, but Intel products are also supported through the AMD APP Software Development Kit (SDK). OpenCL drivers must be installed on the system for the rootkit to work.

Another PoC malware developed by Team Jellyfish is a keylogger called Demon. The developers say Demon has been built using information from a paper published in 2013 by researchers at Columbia University. The paper describes a stealthy keylogger that runs directly on a graphics processor.

“We are not associated with the creators of this paper. We only PoC’d what was described in it, plus a little more,” the developers of Demon noted.

While for the Jellyfish rootkit the developers use the LD_PRELOAD variable to hide malicious components, in the case of Demon they say they are using code injection.

Advertisement. Scroll to continue reading.

Team Jellyfish claims that their creations are designed for educational purposes, and that their goal is to “make everyone aware that GPU-based malware is real.” They noted that Jellyfish and Demon are currently only in beta version and they still have a lot of bugs.

Malware that uses the GPU is not unheard of. Over the past years, researchers have spotted several threats that leverage an infected device’s GPU to mine Bitcoins. However, Jellyfish and Demon are more interesting because they use the GPU for more than just its processing power.

It remains to be seen if the code published by Team Jellyfish will be used by malicious actors in their operations.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.