r77 Rootkit
Fileless ring 3 rootkit
r77 is a ring 3 rootkit that hides everything:
Files, directories
Processes & CPU/GPU usage
Registry keys & values
Services
TCP & UDP connections
Junctions, named pipes, scheduled tasks.
Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.
AV/EDR evasion
Several AV and EDR evasion techniques are in use:
AMSI bypass: The PowerShell inline script disables AMSI by patching amsi.dll!AmsiScanBuffer to always return AMSI_RESULT_CLEAN. Polymorphism is used to evade signature detection of the AMSI bypass.
DLL unhooking: Since EDR solutions monitor API calls by hooking ntdll.dll, these hooks need to be removed by loading a fresh copy of ntdll.dll from disk and restoring the original section. Otherwise, process injection would be detected.
https://github.com/bytecode77/r77-rootkit
You must be logged in to post a comment.