While doing research on linux rootkits, I read about some hooking techniques which are used by the rootkits to tamper the actual behavior of a syscall. Some of which are VFS hooking, hooking via syscall table hijacking etc..One of the techniques that caught my attention was the ftrace hook technique…

Most of the rootkits used in the malware attacks we see are open source and have almost the same behavior(hiding and hooking) as that of a normal process running in the system. In terms of behavior, they have little to no difference than a normal process. In this brief blog…

While I was looking into TeamTNT associated binaries (especially the XMRIG ones), I found a blog post which was published by Trend Micro research some time ago. The blog was about TNTbotinger malware in which attackers used shell-script as the initial vector.(Read full blog here) In this brief blog we…

Golang is simple and has a cross-platform compiler which gives malware authors a chance to develop malware without putting too much effort into the code. Golang is a compiled language just like C/C++ which requires no VM.Go compiled binaries include a runtime package which takes care of language features like…

The docker API basically is an interface between docker daemon and docker image. The docker API is exposed via a Unix Socket at /var/run/docker.sock by default.The Docker daemon(server) uses this socket to listen to the API and the clients(docker images) use the socket to send API requests to the daemon…