Description:
A recent inquiry asked whether Kunai can detect the LinkPro eBPF rootkit, as detailed in Synacktiv’s analysis. We investigated Kunai’s sandbox and confirmed that the two samples mentioned in the article were already submitted. Our analysis shows that Kunai successfully detects most of the suspicious activities associated with these samples.
Progress:
-
Detection Confirmation: Kunai detected the majority of suspicious activities from the LinkPro samples submitted to the sandbox.
-
Dataset Creation: We compiled a bundle of potential eBPF-based malware samples from Kunai’s sandbox, totaling 12GB of data for further analysis.
-
Next Steps: This dataset will be analyzed in detail to refine detection capabilities and identify new patterns or behaviors associated with eBPF-based threats.
Outcome:
Kunai demonstrates strong detection capabilities for eBPF-based threats, including the LinkPro rootkit. The newly created dataset will help further enhance these capabilities.