Extremely sticky and persistent suspected rootkit


That I can’t shake

I’m honestly up to my last will and testament on mental, emotional and even physical capital with this thing. I’ll try my best to keep this laconic and just as an information repository, but there’s a lot since it’s been over four months now.

It was relatively passive and stealthy for the first few months
It mainly ran a MITM and DNS atrack
His motivation is not monetary, but appears to be reputational defacement
About four weeks ago I tried to dispose of it and it literally went insane and seemingly came out of its lay
Since then, every single day has been an escalation on their part

This thing has read, write and execute permissions
It is primarily interested in my router and network
I get DDOSd daily when they hijack the network
It seems like some of these are coming from my own machine.

It looks like whatever it is uses a virtual machine
It then breaks the TPM, either by already having the keys or by brute force
It makes its way to the processor and sends an ARP until I get hit with the ddos ​​and no longer own my own network.
It actively counteracts my countermeasures, including redirects, spoofing/phishing, and timeouts to prevent me from gaining access to my router’s admin portal
Whatever it is, it seems to work in a 32-bit environment and sometimes 16-bit with a very limited amount of memory.
It seems to be accessing my machine from a very outdated server where it hosts the VM.
And that’s just phase 3.5

Phase 4.25 is the windows mirroring trojan they introduced which is speedrunning that locks me out of systems. Even if I have a day job, it knocks me out of the machines within 24 hours of a clean install
They called organizations from my phone.
An attempt was made to open accounts. close accounts. And take out loans.

It penetrated every single device resulting in a full denial of service.
I’ve filed a police report and contacted the FBI
I’ve reached out to the private sector where they want an hourly wage for the Wall Street attorney or are already so busy they can’t help the common person

This thing has reduced me to a flip phone this week, barely holding me by a corner of the card. It was incredibly disturbing and, frankly, becoming extremely unsettling.

I can’t tell if I’m dealing with a script, an AI, a human, an organized group of humans, or just random script kiddies hitting me with drivebys they bought access to on the open market.

I work in IT at a VAR but only started 3-4 weeks ago. I am a salesman by profession. I’m nobody important. And I don’t know any bigger enemies.

Speaking to one of the Sophoss engineers last week, he said it sounds like a contract.
Another friend of mine thinks locally and has very generous resources. Either state or multinational.

I was on one of the steepest learning curves of my life, didn’t even know how to work with Event Viewer a few weeks ago and am now getting on with a tool belt of Wireshark, Autorun, Portmaster, everything, Malwarebytes and Windows Defender/Bitlocker.

This beep can and will disable any of these on a wim with my own admin privileges. And no, I’m not using an admin account. He breaks into an automatically generated 20-digit password. This also happens on Linux where all operating files lock me out until I unpack.

I will stop there. But there is much, much more. But I get pretty weathered fighting that squeak every day. It’s to the point where I just think about a salt and retire and burn it all and start over. But with the money I have here, it’s quite difficult. This means:

MSI Unify Z690 12900KB, 64GB Corsair Vengeance 5600MHz, x4 NVMe drives, x3 SATA drives, x2 HDDs, 5 monitors and that’s just my workstation

Z690 Edge Wifi DDR4, 12900k GSkill Royal 3600MHz 16GB, x2 NVME drives, x1 SATA

EVGA x299 FTW-K with 10900x, x2 SATAs, x2 HDDs

There is no mention of laptops, tablets, cell phones, etc. on this evening.

Until now I could not confirm what the rootkit is. I’m still too new or just inexperienced to see the things I need to see. But I’m a fast learner. Now use UEFI shell and cmd to tactically wipe and wipe partitions or volumes. First and foremost, I’m trying to figure out what this thing is. Second, I’m looking for recommendations on how to completely erase a mobo. I have a ch43a eeprom handy but no working machine to program it. And even then, every piece of software I know of is riddled with malware too.

I have documented this thoroughly, just not clean organizationally, as I keep getting denials of service on certain systems. So it will initially only be a data dump. Let me know if you need anything special and pull on my biohazard suit and fish it out. I am currently out of clean installs as all my USBs are compromised and there are no clean machines to format.

Any help is welcome. Thanks in advance.


About Author

Comments are closed.