1. Forum
  2. Usenet
  3. ALT.COMP.OS.WINDOWS-10

  • Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus De

    From Symon@21:1/5 to All on Wed Aug 27 09:14:40 2025
    XPost: alt.comp.os.windows-11, alt.os.linux.is-a-for-poofters, comp.os.linux.advocacy
    XPost: talk.politics.guns

    Cybersecurity researchers have shed light on a novel attack chain that
    employs phishing emails to deliver an open-source backdoor called
    VShell.

    The "Linux-specific malware infection chain that starts with a spam
    email with a malicious RAR archive file," Trellix researcher Sagar Bade
    said in a technical write-up.

    "The payload isn't hidden inside the file content or a macro, it's
    encoded directly in the filename itself. Through clever use of shell
    command injection and Base64-encoded Bash payloads, the attacker turns a
    simple file listing operation into an automatic malware execution
    trigger."

    The technique, the cybersecurity company added, takes advantage of a
    simple yet dangerous pattern commonly observed in shell scripts that
    arises when file names are evaluated with inadequate sanitization,
    thereby causing a trivial command like eval or echo to facilitate the
    execution of arbitrary code.

    What's more, the technique offers the added advantage of getting around traditional defenses, as antivirus engines don't typically scan file
    names.

    The starting point of the attack is an email message containing a RAR
    archive, which includes a file with a maliciously crafted file name: "ziliao2.pdf`{echo,<Base64-encoded command>}|{base64,-d}|bash`"

    Specifically, the file name incorporates Bash-compatible code that's
    engineered to execute commands when it's interpreted by the shell. It's
    worth noting that simply extracting the file from the archive does not
    trigger execution. Rather, it occurs only when a shell script or command attempts to parse the file name.

    Another important aspect to consider here is that it's not possible to
    manually create a file name with this syntax, meaning it was likely
    created using another language or dropped using an external tool or
    script that bypasses shell input validation, Trellix said.

    This, in turn, leads to the execution of an embedded Base64-encoded
    downloader, which then retrieves from an external server an ELF binary
    for the appropriate system architecture (x86_64, i386, i686, armv7l, or aarch64). The binary, for its part, initiates communication with a command-and-control (C2) server to obtain the encrypted VShell payload,
    decode, and execute it on the host.

    Trellix said the phishing emails are disguised as an invitation for a
    beauty product survey, luring recipients with a monetary reward (10 RMB)
    for completing it.

    "Crucially, the email includes a RAR archive attachment ('yy.rar'), even
    though it doesn't explicitly instruct the user to open or extract it,"
    Bade explained. "The social engineering angle is subtle: The user is
    distracted by the survey content, and the presence of the attachment
    might be mistaken for a survey-related document or data file."

    VShell is a Go-based remote access tool that has been widely put to use
    by Chinese hacking groups in recent years, including UNC5174, supporting reverse shell, file operations, process management, port forwarding, and encrypted C2 communications.

    What makes this attack dangerous is that the malware operates entirely in-memory, avoiding disk-based detection, not to mention it can target a
    wide range of Linux devices.

    "This analysis highlights a dangerous evolution in Linux malware
    delivery where a simple file name embedded in a RAR archive can be
    weaponized to execute arbitrary commands," Trellix said. "The infection
    chain exploits command injection in shell loops, abuses Linux's
    permissive execution environment, and ultimately delivers a powerful
    backdoor VShell malware capable of full remote control over the system."

    The development comes as Picus Security released a technical analysis of
    a Linux-focused post-exploit tool dubbed RingReaper that leverages the
    Linux kernel's io_uring framework to circumvent traditional monitoring
    tools. It's currently not known who is behind the malware.

    "Instead of invoking standard functions such as read, write, recv, send,
    or connect, RingReaper employs io_uringprimitives (e.g.,
    io_uring_prep_*) to execute equivalent operations asynchronously,"
    security researcher Sila �zeren Hacioglu said. "This method helps bypass hook-based detection mechanisms and reduces the visibility of malicious activity in telemetry commonly gathered by EDR platforms."

    RingReaper makes use of io_uring to enumerate system processes, active pseudo-terminal (PTS) sessions, network connections, and logged-in
    users, while reducing its footprint and avoiding detection. It's also
    capable of collecting user information from the "/etc/passwd" file,
    abusing SUID binaries for privilege escalation, and erasing traces of
    itself after execution.

    "It exploits the Linux kernel's modern asynchronous I/O interface,
    io_uring, to minimize reliance on conventional system calls that
    security tools frequently monitor or hook," Picus said.

    https://thehackernews.com/2025/08/linux-malware-delivered-via-malicious.h
    tml

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)