Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Linux Backdoor Doesn’t Require Root Privileges

A newly observed Linux backdoor Trojan can perform its nefarious activities without root access, by using the privileges of the current user, Doctor Web security researchers have discovered.

A newly observed Linux backdoor Trojan can perform its nefarious activities without root access, by using the privileges of the current user, Doctor Web security researchers have discovered.

Dubbed Linux.BackDoor.FakeFile.1, the malware is being distributed as an archived PDF, Microsoft, or Open Office file, the security researchers say. As soon as it has been launched, the Trojan would save itself to the user’s home directory, in the .gconf/apps/gnome-common/gnome-common folder.

Next, the malware searchers for a hidden file that matches its name, and replaces that file with itself. However, if the malware doesn’t find the hidden file, it creates it and then opens it using gedit, Doctor Web researchers reveal.

“For instance, if an ELF file of Linux.BackDoor.FakeFile.1 is named AnyName.pdf, the Trojan will search for a hidden file under the name .AnyName.pdf and then replace the original file with it by using the command mv .AnyName.pdf AnyName.pdf,” the security researchers note.

The next step is to check the name of the installed Linux distribution, which allows the malware to write a command to the file <HOME>/.profile or the file <HOME>/.bash_profile to launch automatically, but only if it runs on distributions other than openSUSE. Only after this step has been completed the Trojan retrieves the configuration data from its file and decrypts it.

Next, the malicious program launches two threads, one destined to share information with the command and control (C&C) server, while the other meant to monitor the duration of the connection. Thus, if the Trojan doesn’t receive instructions within 30 minutes, the connection is terminated.

Once installed on a compromised system, the backdoor can execute a multitude of commands: send to the C&C server the quantity of messages transferred during the session; send a list with the contents of the specified folder; send a specified file or a folder with all its contents; delete a directory; delete a file; rename a folder; remove itself; launch a new copy of a process; and close the current session.

Other operations supported by the malware include: establish backconnect and run sh; terminate backconnect; open the executable file of the process for writing; close the process file; create a file or folder; write the transmitted values to a file; obtain the names, permissions, sizes, and creation dates of files in the specified directory; set 777 privileges on the specified file. The backdoor can also terminate its own operation upon command.

Advertisement. Scroll to continue reading.

Related: Fysbis Backdoor Preferred by Pawn Storm Group to Target Linux

 

Related: Multipurpose “Xunpes” Trojan Targeting Linux Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.