Skip to content

Releases: h3xduck/TripleCross

TripleCross First Release

03 Jul 10:19
Compare
Choose a tag to compare

Changelog

eBPF rootkit code base

  • User space rootkit program
  • eBPF programs configurator
  • Libbpf-powered eBPF programs in the kernel

Library injection module

  • Injection of libraries via GOT hijacking
  • Code caver module added using proc filesystem
  • Malicious library added

Execution hijacking module

  • Tampering with sys_execve syscalls
  • Malicious program to inject added

Backdoor and C2

  • New backdoor triggers:
    • Keyword-based
    • Pattern-based
    • Multi-packet
  • TC and XDP programs
  • 3 shells included:
    • Plaintext pseudo-shell
    • Encrypted pseudo-shell
    • Phantom pseudo-shell

Rootkit client

  • Multiple commands and pseudo-shells added for a remote client to connect with the backdoor

Persistence module

  • Added rootkit persistence across reboots via Cron and sudoers

Stealth module

  • Added rootkit files and directories hiding via getdents hijacking