Threat Research

BlueShell Used in Attacks Against Linux Systems in Korea (2) – ASEC BLOG

Securonix

BlueShell is a Go-based backdoor used against Linux systems in Korea and Thailand, with a threat actor customizing and deploying it via a dropper that loads the malware into memory. The campaign features environment-variable-configured C2 data, TLS-enabled C2 communications, and a parent dropper that disguises the id command for persistence. #BlueShell #Dalbit #Korea

Keypoints

  • BlueShell is a Go-based backdoor that targets Linux (and also Windows/macOS) and supports TLS encryption for C2 communications.
  • The customized BlueShell reads configuration data from environment variables (lgdt and wtim) and uses a host-name condition to decide execution.
  • A dropper decrypts the BlueShell payload with XOR (0x63) and expands it to a runtime path like /tmp/.ICECache, then runs in memory.
  • The dropper and backdoor disguise appear as legitimate processes (e.g., the backdoor masquerades as /usr/libexec/rpciod and the id command), complicating defense efforts.
  • A parent dropper variant disguises the Linux id command and installs BlueShell, potentially altering the binary location to maintain persistence.
  • Attacks against Korean Linux systems have been observed from 2022 to 2023, with multiple samples (orbds, rpcd, id) and several IoCs reported, including C2 addresses and MD5 hashes.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – BlueShell can receive commands from the C&C server and execute the threat actor’s malicious commands. “BlueShell can receive commands from the C&C server and execute the threat actor’s malicious commands.”
  • [T1027] Obfuscated/Compressed Files and Information – The dropper uses Xor to decrypt the encrypted BlueShell saved in the internal .data section with the 0x63 key. The decrypted data is in a compressed form, and it is decompressed and generated into a path such as “/tmp/.ICECache.”
  • [T1036] Masquerading – The threat actor disguises Linux’s “id” command and uses a fake process name (e.g., “/usr/libexec/rpciod”) to blend in. “the threat actor’s name implies, it disguises Linux’s ‘id’ command.”
  • [T1574] Hijack Execution Flow – The parent dropper likely changed the binary where the “id” command was located to maintain persistence so that the malware can continuously run whenever the command is run. “Details are yet to be confirmed, but the threat actor likely changed the binary where the “id” command was located to maintain persistence so that the malware can continuously run whenever the command is run.”

Indicators of Compromise

  • [IP] C2 servers – 202.87.223.124:443, 20.200.213.72:3389
  • [MD5] 3f022d65129238c2d34e41deba3e24d3, 30fe6a0ba1d77e05a19d87fcf99e7ca5
  • [File name] orbds, rpcd, id
  • [File path] /tmp/.ICECache, /tmp/kthread, /tmp/.X15-lock
  • [Process name] /usr/libexec/rpciod (BlueShell’s fake name) and the disguised “id” command
  • [Environment Variable] lgdt, wtim

Read more: https://asec.ahnlab.com/en/61549/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint