Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > alt.comp.os.windows-10 > #187028
| From | Symon <symon@notice.org> |
|---|---|
| Subject | Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection |
| Message-ID | <f316bcee397ee302412a58851009d7e7@dizum.com> (permalink) |
| Date | 2025-08-27 09:14 +0200 |
| Newsgroups | alt.comp.os.windows-10, alt.comp.os.windows-11, alt.os.linux.is-a-for-poofters, comp.os.linux.advocacy, talk.politics.guns |
| Organization | dizum.com - The Internet Problem Provider |
Cross-posted to 5 groups.
Cybersecurity researchers have shed light on a novel attack chain that
employs phishing emails to deliver an open-source backdoor called
VShell.
The "Linux-specific malware infection chain that starts with a spam
email with a malicious RAR archive file," Trellix researcher Sagar Bade
said in a technical write-up.
"The payload isn't hidden inside the file content or a macro, it's
encoded directly in the filename itself. Through clever use of shell
command injection and Base64-encoded Bash payloads, the attacker turns a
simple file listing operation into an automatic malware execution
trigger."
The technique, the cybersecurity company added, takes advantage of a
simple yet dangerous pattern commonly observed in shell scripts that
arises when file names are evaluated with inadequate sanitization,
thereby causing a trivial command like eval or echo to facilitate the
execution of arbitrary code.
What's more, the technique offers the added advantage of getting around
traditional defenses, as antivirus engines don't typically scan file
names.
The starting point of the attack is an email message containing a RAR
archive, which includes a file with a maliciously crafted file name:
"ziliao2.pdf`{echo,<Base64-encoded command>}|{base64,-d}|bash`"
Specifically, the file name incorporates Bash-compatible code that's
engineered to execute commands when it's interpreted by the shell. It's
worth noting that simply extracting the file from the archive does not
trigger execution. Rather, it occurs only when a shell script or command
attempts to parse the file name.
Another important aspect to consider here is that it's not possible to
manually create a file name with this syntax, meaning it was likely
created using another language or dropped using an external tool or
script that bypasses shell input validation, Trellix said.
This, in turn, leads to the execution of an embedded Base64-encoded
downloader, which then retrieves from an external server an ELF binary
for the appropriate system architecture (x86_64, i386, i686, armv7l, or
aarch64). The binary, for its part, initiates communication with a
command-and-control (C2) server to obtain the encrypted VShell payload,
decode, and execute it on the host.
Trellix said the phishing emails are disguised as an invitation for a
beauty product survey, luring recipients with a monetary reward (10 RMB)
for completing it.
"Crucially, the email includes a RAR archive attachment ('yy.rar'), even
though it doesn't explicitly instruct the user to open or extract it,"
Bade explained. "The social engineering angle is subtle: The user is
distracted by the survey content, and the presence of the attachment
might be mistaken for a survey-related document or data file."
VShell is a Go-based remote access tool that has been widely put to use
by Chinese hacking groups in recent years, including UNC5174, supporting
reverse shell, file operations, process management, port forwarding, and
encrypted C2 communications.
What makes this attack dangerous is that the malware operates entirely
in-memory, avoiding disk-based detection, not to mention it can target a
wide range of Linux devices.
"This analysis highlights a dangerous evolution in Linux malware
delivery where a simple file name embedded in a RAR archive can be
weaponized to execute arbitrary commands," Trellix said. "The infection
chain exploits command injection in shell loops, abuses Linux's
permissive execution environment, and ultimately delivers a powerful
backdoor VShell malware capable of full remote control over the system."
The development comes as Picus Security released a technical analysis of
a Linux-focused post-exploit tool dubbed RingReaper that leverages the
Linux kernel's io_uring framework to circumvent traditional monitoring
tools. It's currently not known who is behind the malware.
"Instead of invoking standard functions such as read, write, recv, send,
or connect, RingReaper employs io_uringprimitives (e.g.,
io_uring_prep_*) to execute equivalent operations asynchronously,"
security researcher Sila Özeren Hacioglu said. "This method helps bypass
hook-based detection mechanisms and reduces the visibility of malicious
activity in telemetry commonly gathered by EDR platforms."
RingReaper makes use of io_uring to enumerate system processes, active
pseudo-terminal (PTS) sessions, network connections, and logged-in
users, while reducing its footprint and avoiding detection. It's also
capable of collecting user information from the "/etc/passwd" file,
abusing SUID binaries for privilege escalation, and erasing traces of
itself after execution.
"It exploits the Linux kernel's modern asynchronous I/O interface,
io_uring, to minimize reliance on conventional system calls that
security tools frequently monitor or hook," Picus said.
https://thehackernews.com/2025/08/linux-malware-delivered-via-malicious.h
tml
Back to alt.comp.os.windows-10 | Previous | Next — Next in thread | Find similar | Unroll thread
Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Symon <symon@notice.org> - 2025-08-27 09:14 +0200
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Mr. Man-wai Chang" <toylet.toylet@gmail.com> - 2025-08-27 23:25 +0800
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-27 23:22 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Hank Rogers <Hank@nospam.invalid> - 2025-08-27 19:21 -0500
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-28 00:41 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-28 08:45 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-28 22:36 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-29 08:39 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-30 00:16 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Hank Rogers <Hank@nospam.invalid> - 2025-08-29 20:02 -0500
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-30 03:35 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection pothead <pothead@snakebite.com> - 2025-08-28 15:45 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-28 03:28 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Daniel70 <daniel47@somewhere.someplaceelse> - 2025-08-28 20:19 +1000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-28 07:54 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Carlos E.R." <robin_listas@es.invalid> - 2025-08-28 14:57 +0200
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-28 09:02 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Carlos E.R." <robin_listas@es.invalid> - 2025-08-28 23:17 +0200
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-28 22:35 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-29 08:38 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-29 10:35 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-29 10:55 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Carlos E.R." <robin_listas@es.invalid> - 2025-08-31 02:35 +0200
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-31 01:21 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Char Jackson <none@none.invalid> - 2025-08-31 12:58 -0500
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-31 22:46 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Carlos E.R." <robin_listas@es.invalid> - 2025-09-01 02:44 +0200
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-09-01 07:56 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Carlos E.R." <robin_listas@es.invalid> - 2025-09-01 14:21 +0200
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Char Jackson <none@none.invalid> - 2025-09-01 16:26 -0500
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-28 22:34 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-28 22:32 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-28 19:18 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-29 00:50 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-28 22:44 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-29 04:02 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-29 00:53 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-29 05:31 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-28 08:44 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection chrisv <chrisv@nospam.invalid> - 2025-08-28 16:30 -0500
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-29 08:35 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-28 22:29 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-29 08:36 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-30 05:39 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-30 07:25 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-28 19:40 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-29 00:51 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Carlos E.R." <robin_listas@es.invalid> - 2025-09-02 12:45 +0200
csiph-web