Cybersecurity researchers have shed light on a novel attack chain that employs phishing emails to deliver an open-source backdoor called VShell.
The “Linux-specific malware infection chain that starts with a spam email with a malicious RAR archive file,” Trellix researcher Sagar Bade said in a technical write-up.
“The payload isn’t hidden inside the file content or a macro, it’s encoded directly in the filename itself. Through clever use of shell command injection and Base64-encoded Bash payloads, the attacker turns a simple file listing operation into an automatic malware execution trigger.”
The technique, the cybersecurity company added, takes advantage of a simple yet dangerous pattern commonly observed in shell scripts that arises when file names are evaluated with inadequate sanitization, thereby causing a trivial command like eval or echo to facilitate the execution of arbitrary code.
What’s more, the technique offers the added advantage of getting around traditional defenses, as antivirus engines don’t typically scan file names.
The starting point of the attack is an email message containing a RAR archive, which includes a file with a maliciously crafted file name: “ziliao2.pdf`{echo,
Specifically, the file name incorporates Bash-compatible code that’s engineered to execute commands when it’s interpreted by the shell. It’s worth noting that simply extracting the file from the archive does not trigger execution. Rather, it occurs only when a shell script or command attempts to parse the file name.
Another important aspect to consider here is that it’s not possible to manually create a file name with this syntax, meaning it was likely created using another language or dropped using an external tool or script that bypasses shell input validation, Trellix said.
This, in turn, leads to the execution of an embedded Base64-encoded downloader, which then retrieves from an external server an ELF binary for the appropriate system architecture (x86_64, i386, i686, armv7l, or aarch64). The binary, for its part, initiates communication with a command-and-control (C2) server to obtain the encrypted VShell payload, decode, and execute it on the host.
Trellix said the phishing emails are disguised as an invitation for a beauty product survey, luring recipients with a monetary reward (10 RMB) for completing it.
“Crucially, the email includes a RAR archive attachment (‘yy.rar’), even though it doesn’t explicitly instruct the user to open or extract it,” Bade explained. “The social engineering angle is subtle: The user is distracted by the survey content, and the presence of the attachment might be mistaken for a survey-related document or data file.”
VShell is a Go-based remote access tool that has been widely put to use by Chinese hacking groups in recent years, including UNC5174, supporting reverse shell, file operations, process management, port forwarding, and encrypted C2 communications.
What makes this attack dangerous is…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
