Cyber security researchers have highlighted a novel attack chain that appoints fishing email to give an open-source backdoor Vshell,
“Linux-specific malware transition chain that begins with a spam email with a malicious RAR collection file,” Sagar beds of the trailix said in a technical writing.
“The payload is not hidden inside the file material or macro, it is directly encoded in the file name. Through the clever use of the shell command injection and the base 64-encoded bash payload, the attacker converts a simple file listing operation into an automated malware execution trigger.”
The technique, the cyber security company said, “usually a simple seen in the shell script takes advantage of the dangerous pattern yet arising when the file names are evaluated with insufficient hygiene, which facilitates the execution of arbitrary code, which provides a trivial command such as Eveval or Eco.
What is more, technology provides additional benefits of obtaining around traditional defense, as antivirus engines usually do not scan file names.
The initial point of the attack is an email message that includes a RAR collection, which includes a file with a maliciously designed file name: “Ziliao2.pdf`Echo,
In particular, the file name contains the bash-compatible code that is an engineer to execute the command when explained by Shell. It is worth noting that simply removes the file from the collection does not trigger execution. Rather, this happens only when a shell script or command tries to pursue the file name.
Another important aspect to consider here is that it is not possible to manually create a file name with this syntax, which means that it was probably made using another language or dropped using an external tool or script that bypasses the shell input verification, the tricls said.
This, in turn, leads to the execution of an embedded base 64-Encoded Downloader, which is then obtained from an ELF binary for an external server to the appropriate system architecture (X86_64, i386, i686, Armv7L, or AARCH64). The binary starts communication with a command-end control (C2) server, for its share, an encrypted vshell payload, decoding and executing it on the host.
Trailix stated that fishing emails are disguised as an invitation to a beauty product survey, enticing recipients with a monetary reward (10 RMB) to complete it.
“Importantly, the email contains an RAR archive attachment (‘yy.rar’), even if it clearly does not direct the user to open or remove it,” the Bad explained. “Social engineering angle is subtle: user is distracted by survey material, and the presence of attachment can be done wrong for survey-related document or data file.”
Vshal is a Go-based remote access tool that has been widely placed to use by Chinese hacking groups in recent years, including UnC5174, reverse shell, file operations, procedure management, portal and encrypted C2 communication.
This attack makes this attack dangerous that malware fully conducts in-memory, avoids disc-based identity, not to mention that it can target a wide range of Linux equipment.
“This analysis highlights a dangerous development in Linux malware delivery, where an ordinary file name embedded in an RAR collection can be made a weapon to execute the arbitrary command,” the trailix said. “The transition chain exploits the command injection in the chain shell loops, misusing the permissible execution environment of the Linux, and eventually a powerful backdoor vshell malware capable of complete remote control on the system.
This growth comes when the picus security released a technical analysis of a linux-centric post-exclusive tool dubbed ringeper that takes advantage of the IO_uring framework of Linux kernel to ignore the traditional surveillance devices. It is not currently known who is behind the malware.
Security researcher Sasila özeren hacoflu said, “Instead of standard tasks such as reading, writing, recommending, or connecting, the ringraper appoints iO_URingPrimitives (eg, IO_URING_PREP_*) equally persuasion.” “This method helps bypass hook-based detection mechanisms and reduces the visibility of malicious activity in the telemetry usually collected by EDR platforms.”
Ringreper uses IO_URing for system procedures, active pseudo-terminal (PTS) sessions, network connections, and log-in users, while reducing its footprint and avoids detection. It is capable of collecting user information from the “/ETC/Passwd” file, misuse Suid binergies for privilege increase, and eradicate themselves after execution.
“It exploits the modern asynchronous I/O interface of Linux kernels, IO_URing, to reduce the dependence on traditional systems, safety equipment often says monitor or hook,” Picus said.
