A low detection Linux ELF malware has been discovered, utilizing a SOCKS5 proxy for remote operations and featuring a backdoor. Two hard-coded IP addresses are linked to its command and control function. (Affected: Linux systems, cybersecurity)
Keypoints :
- MalwareHunterTeam reported a low detection Linux ELF malware with specific hashes.
- The malware contains two hard-coded IP addresses linked to its infrastructure.
- This backdoor executes payloads from a remote SOCKS5 proxy.
- It uses environment variables to control its execution flow.
- The malware mimics legitimate processes to avoid detection.
- Connections to the command and control (C2) infrastructure are maintained in a continuous loop.
- A second ELF file linked to the initial malware was found, acting as a reverse shell.
MITRE Techniques :
- T1071.001: Application Layer Protocol: The malware uses SOCKS5 for communication with the command and control server.
- T1053.005: Scheduled Task/Job: The malware forks new processes to execute tasks and hides its activity.
- T1140: Deobfuscation: The malware checks for environment variables to manipulate its execution path.
- T1040: Network Sniffing: Uses a local proxy to intercept and forward network traffic to the remote proxy.
- T1203: Exploitation for Client Execution: The malware executes commands received through the secure connection.
Indicator of Compromise :
- The article mentions hash values of two malware variants, useful for file integrity checking.
- Hard-coded IP addresses (43.159.18[.]135 and 119.42.148[.]187) are identified as critical indicators of command and control servers.
- The malware communicates using a local proxy (127.0.0.1) for internal traffic management.
- Signatures from the listed ELF binaries can be used to detect the malicious executables on compromised machines.
Full Story: https://dmpdump.github.io/posts/Low_Detection_backdoor_NHAS_RSSH/
Views: 64