Threat Research

New PoC Exploit Found: Fake Proof of Concept with Backdoor Malware

Securonix

A deceptive PoC has been found that hides a backdoor inside what should be a safe learning tool for security researchers. Discovered by Uptycs, the PoC downloads and executes a hidden Linux bash script, persists via kworker and bashrc, and can exfiltrate data and grant unauthorized SSH access; it also uses namespace tricks to imitate a root shell. Hashtags: #ChriSander22 #Uptycs #CVE-2023-35829 #CVE-2023-20871

Keypoints

  • The PoC is a malicious twist on legitimate research tooling: it hides a backdoor inside a supposedly safe learning tool for security researchers.
  • Persistence is achieved by duplicating the PoC to the user’s home and registering its path in ~/.bashrc, enabling ongoing operation.
  • Data theft capabilities include collecting hostname, username, and the contents of home directories, with SSH keys potentially enabling full system access.
  • The PoC downloads and executes a remote bash script via a curl-based downloader, embedding the URL in a way that resists simple static analysis.
  • It attempts to conceal its presence by masquerading as a kernel-level process and by embedding itself in bashrc, using Linux namespaces to fake a root-like shell.
  • Uptycs XDR detected the downloader behavior, the remote script’s access to /etc/passwd, and the manipulation of ~/.ssh/authorized_keys for unauthorized access.

MITRE Techniques

  • [T1059.004] Unix Shell – The malware uses /bin/bash to run the downloaded script and disguises its operations as a kernel-level process. Quote: “operating as a downloader, it silently dumps and executes a Linux bash script, all the while disguising its operations as a kernel-level process.”
  • [T1105] Ingress Tool Transfer – The binary downloads a URL via curl and executes the script it fetches. Quote: “the curl_func() function, which uses the libcurl library to download a URL that is obfuscated so as basic static analysis can’t easily find it. The URL is hxxp[:]//cunniloss[.]accesscam[.]org/hash[.]php; it contains a bash script that is run if the curl request succeeds.”
  • [T1041] Exfiltration Over C2 Channel – Data is exfiltrated using curl to transfer data to a remote host. Quote: “employs curl to exfiltrate data via transfer[.]sh.”
  • [T1098.004] SSH Authorized Keys – The attacker can gain full access by adding their SSH key to authorized_keys. Quote: “an attacker can gain full access to a target system by adding their ssh key to the authorized_keys file.”
  • [T1027] Obfuscated/Compressed Files and Information – The URL is obfuscated to hinder static analysis. Quote: “it uses an obfuscated URL so as basic static analysis can’t easily find it.”
  • [T1036] Masquerading – The malware disguises itself by embedding in bashrc and presenting as a kernel-level process. Quote: “disguising its operations as a kernel-level process.”‘

Indicators of Compromise

  • [File name] context – aclocal.m4, caa69b10b0bfca561dec90cbd1132b6dcb2c8a44d76a272a0b70b5c64776ff6c
  • [URL] context – hxxp[:]//cunniloss[.]accesscam[.]org
  • [URL] context – hxxp[:]//transfer[.]sh
  • [IP Address] context – 81[.]4[.]109[.]16

Read more: https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware