cat soup is a kernel-level covert channel rootkit developed to explore offensive capabilities using eBPF, its name was inspired by an animated film based on the manga created by Nekojiru. the rootkit consists of two components:
- nyako (server)
- nyatta (client)
the encrypted messages between the components are exchanged via a covert channel that utilizes an If-None-Match HTTP header. header example:
If-None-Match:
lo7ct.0.0.24.nwlrbbmqbhcdarzowkkyhid.nwlrbbmqbhcdarzowkkyhid.dqscdxrjmowfrx
sjybldbefsarcbynecdyggxxpklorellnmpapqfwkhopkmcoqhnwnkuewhsqmgbbuqcljjivswm
dkqtbxixmvtrrbljptnsnfwzqfjmafadrrwsofsbcnuvqhffbsaqxwpqcacehchzvfrkmlnozjk
pqpxrjxkitzyxacbhhkicqcoendtomfgdwdwfcgpxiqvkuytdlcgdewhtaciohordtqkvwcsgsp
qoqmsboaguwnnyqxnzlgdgwpbtrwblnsadeuguumoqcdrubetokyxhoachwdvmxxrdryxlmndqt
ukwagmlejuukwcibxubumenmeyatdrmydiajxloghiqfmzhlvihjouvsuyoypayulyeimuotehz
riicfskpggkbbipzzrzucxamludfykgruowzgiooobppleqlwphapjnadqhdc
remote command execution can be performed by entering a linux command. rootkit specific commands are outlined in the table below.
| command | technical details | description |
|---|---|---|
| invoke | send a message with the command type TYPE_INVOKE | invokes nyako to process commands |
| suspend | send a message with the command type TYPE_SUSPEND | suspends nyako making it unresponsive |
| block_trace | send a message with the command type TYPE_BLOCK_TRACE | blocks any tracing attepts |
| unblock_trace | send a message with the command type TYPE_UNBLOCK_TRACE | disables tracing blocking |
| terminate | send a message with the command type TYPE_TERMINATE | terminates nyako |
for the additional details see documents/design.pdf and documents/manual.pdf.
execution1.mp4
vlc-record-2023-03-05-15h14m43s-case2.mp4-.mp4
inspired by https://github.com/pathtofile/bad-bpf#pid-hide
case3.mp4
