VoidLink threat analysis: Sysdig discovers C2-compiled kernel rootkits

Sysdig's Threat Research Team conducted an in-depth analysis of VoidLink, a sophisticated Chinese-developed Linux malware framework targeting cloud environments, following its initial discovery by Check Point Research. VoidLink is notable for its advanced server-side rootkit compilation, which allows kernel modules to be built on-demand for specific targets, addressing portability challenges traditionally faced by Loadable Kernel Modules (LKMs). The malware is written in the Zig programming language and features real-time adaptive detection and response evasion, making it highly stealthy and difficult to detect. It employs a multi-stage loader architecture with fileless execution techniques and utilizes various stealth mechanisms, including eBPF and LKM, depending on the kernel version. VoidLink's rootkit capabilities include syscall table hooks and kretprobe hooks to hide its presence, as well as multiple control channels, such as ICMP covert channels, for managing the malware. Despite its sophistication, VoidLink's activities can still be detected through runtime monitoring tools like Falco and Sysdig Secure, which can identify its distinctive syscall patterns and fileless execution techniques. The analysis highlights the malware's integration of AI-assisted development with deep kernel expertise and operational tradecraft, suggesting a high level of sophistication and maturation in its design, which poses significant threats to Linux environments, especially those in cloud-native settings.