New blog post: bedevil: Dynamic Linker Patching
https://t.co/wmjKqhJydf
bedevil (bdvl) is an LD_PRELOAD rootkit. The group Muddled Libra used bedevil to target VMware vCenter servers in 2024, according to Palo Alto’s Unit42 Blog.
The rootkit comes with a nifty feature called Dynamic Linker Patching.
This topic is interesting from both a red- and blue-team perspective, primarily because the LD_PRELOAD technique has been well-known for many years. Most detection tools and scripts are typically capable of identifying a shared library path in the https://t.co/iDfcjF87Bt.preload file or detecting a non-empty LD_PRELOAD environment variable.
However, patching the dynamic linker provides attackers with significant advantages for stealth while simultaneously creating new challenges for defenders attempting to identify such intrusions.
In this blog post, we will conduct an in-depth analysis of the patching technique used by the bedevil rootkit, exploring how it works and the advantages that dynamic linker patching offers to attackers.