Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Linux Backdoor Doesn’t Require Root Privileges

A newly observed Linux backdoor Trojan can perform its nefarious activities without root access, by using the privileges of the current user, Doctor Web security researchers have discovered.

A newly observed Linux backdoor Trojan can perform its nefarious activities without root access, by using the privileges of the current user, Doctor Web security researchers have discovered.

Dubbed Linux.BackDoor.FakeFile.1, the malware is being distributed as an archived PDF, Microsoft, or Open Office file, the security researchers say. As soon as it has been launched, the Trojan would save itself to the user’s home directory, in the .gconf/apps/gnome-common/gnome-common folder.

Next, the malware searchers for a hidden file that matches its name, and replaces that file with itself. However, if the malware doesn’t find the hidden file, it creates it and then opens it using gedit, Doctor Web researchers reveal.

“For instance, if an ELF file of Linux.BackDoor.FakeFile.1 is named AnyName.pdf, the Trojan will search for a hidden file under the name .AnyName.pdf and then replace the original file with it by using the command mv .AnyName.pdf AnyName.pdf,” the security researchers note.

The next step is to check the name of the installed Linux distribution, which allows the malware to write a command to the file <HOME>/.profile or the file <HOME>/.bash_profile to launch automatically, but only if it runs on distributions other than openSUSE. Only after this step has been completed the Trojan retrieves the configuration data from its file and decrypts it.

Next, the malicious program launches two threads, one destined to share information with the command and control (C&C) server, while the other meant to monitor the duration of the connection. Thus, if the Trojan doesn’t receive instructions within 30 minutes, the connection is terminated.

Once installed on a compromised system, the backdoor can execute a multitude of commands: send to the C&C server the quantity of messages transferred during the session; send a list with the contents of the specified folder; send a specified file or a folder with all its contents; delete a directory; delete a file; rename a folder; remove itself; launch a new copy of a process; and close the current session.

Advertisement. Scroll to continue reading.

Other operations supported by the malware include: establish backconnect and run sh; terminate backconnect; open the executable file of the process for writing; close the process file; create a file or folder; write the transmitted values to a file; obtain the names, permissions, sizes, and creation dates of files in the specified directory; set 777 privileges on the specified file. The backdoor can also terminate its own operation upon command.

Related: Fysbis Backdoor Preferred by Pawn Storm Group to Target Linux

 

Related: Multipurpose “Xunpes” Trojan Targeting Linux Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...