Azazel – Userland Anti-debugging & Anti-detection Rootkit


Azazel is a userland rootkit written in C based off of the original LD_PRELOAD technique from Jynx rootkit. It is more robust and has additional features, and focuses heavily around anti-debugging and anti-detection. Features include log cleaning, pcap subversion, and more.

Azazel Rootkit

Features

  • Anti-debugging
  • Avoids unhide, lsof, ps, ldd detection
  • Hides files and directories
  • Hides remote connections
  • Hides processes
  • Hides logins
  • PCAP hooks avoid local sniffing
  • Two accept backdoors with full PTY shells.
    • Crypthook encrypted accept() backdoor
    • Plaintext accept() backdoor
  • PAM backdoor for local privesc and remote entry
  • Log cleanup for utmp/wtmp entries based on pty
  • Uses xor to obfuscate static strings

As with anything of this nature, it’s recommended you check the source-code/run it in a safe environment etc. But if I have to emphasise stuff like that, this is probably the wrong site for you.

You can grab Azazel from Github here:

Or read more here.

Posted in: Linux Hacking, Malware

,


Latest Posts:


HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.
Fuzzilli - JavaScript Engine Fuzzing Library Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it's a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language.
OWASP APICheck - HTTP API DevSecOps Toolset OWASP APICheck – HTTP API DevSecOps Toolset
APICheck is an HTTP API DevSecOps toolset, it integrates existing tools, creates execution chains easily and is designed for integration with 3rd parties.
trident - Automated Password Spraying Tool trident – Automated Password Spraying Tool
The Trident project is an automated password spraying tool developed to be deployed on multiple cloud providers and provides advanced options around scheduling
tko-subs - Detect & Takeover Subdomains With Dead DNS Records tko-subs – Detect & Takeover Subdomains With Dead DNS Records
tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services and more.


Comments are closed.