VShell is a Go-based, memory-resident Linux backdoor delivered via RAR archives that weaponize filenames to trigger Bash execution and load architecture-specific ELF payloads which decrypt and run in memory. Observed actors using VShell include UNC5174, Earth Lamia, CL-STA-0048, and UNC5221. #VShell #UNC5174
Keypoints
- VShell leverages crafted filenames inside RAR archives that contain Base64-encoded Bash commands which can be executed by common shell operations without user interaction.
- The attack chain is three-stage: filename-triggered Bash downloads a second-stage script, the script fetches an architecture-specific ELF, and the ELF loads an XOR-encrypted payload into memory using fexecve().
- VShell is written in Go and supports multiple architectures (x86, x64, ARM, ARM64), enabling broad Linux compatibility.
- The final payload runs entirely in memory, masquerades as a kernel thread, and provides reverse shell, file transfer, process management, and TCP/UDP port forwarding capabilities.
- C2 communications use XOR encryption to hinder detection, and the malware implements an anti-reinfection marker file to prevent multiple instances.
- The initial stage aligns with the Snowlight dropper technique by exploiting unsanitized filename processing in shell scripts.
- Traditional antivirus and static analysis may miss VShell because filenames are rarely scanned and the payloads are memory-only, making behavioral and network monitoring crucial for detection.
MITRE Techniques
- [T1204] User Execution – Malicious RAR archive exploits user curiosity to extract files whose crafted filename contains a Base64-encoded Bash command that executes when processed by common shell utilities. Quote: ‘the archive contains a file with a crafted filename embedding a Base64-encoded Bash command.’
- [T1203] Exploitation for Client Execution – Filename-based command injection exploits unsanitized shell script operations like `eval “echo $f”` or `ls | while read f` to run the embedded command. Quote: ‘exploits common shell scripting practices to execute malicious Bash payloads.’
- [T1105] Ingress Tool Transfer – Stage 1 downloads a second-stage Bash script from a hardcoded C2 server which then fetches architecture-specific ELF binaries. Quote: ‘downloads a second-stage Bash script from a hardcoded C2 server… fetches an architecture-specific ELF binary.’
- [T1547] Boot or Logon Autostart Execution (anti-reinfection marker) – The malware checks for a marker file to prevent multiple instances, a persistence-related technique to manage re-execution. Quote: ‘implements an anti-reinfection mechanism by checking for a marker file.’
- [T1055] Process Injection / Process Execution via fexecve – The ELF binary retrieves an XOR-encrypted payload, decrypts it in memory, and executes it using fexecve() to avoid disk artifacts. Quote: ‘decrypts it in memory, and executes it using fexecve(), avoiding disk-based artifacts.’
- [T1041] Exfiltration Over C2 Channel – VShell provides C2 capabilities including reverse shell and file upload/download, using XOR-encrypted communications to and from C2 servers. Quote: ‘retrieves an XOR-encrypted payload from the C2 server… reverse shell access, file uploads/downloads…’
Indicators of Compromise
- [File Hash] VShell-related samples reported by PolySwarm – 5bde055523d3b5b10f002c5d881bed882e60fa47393dff41d155cab8b72fc5f4, d7d5c1f933846823ceb0f8c69bb41801713a6922741183501c344081a48f500b (and 8 more hashes).
- [File Hash] Additional sample examples – bcc10098b91bbb841ed5c1ec663436738479d071a96145f43b121881a5517d35, 6b7d2af6eeff8f2b73dae75037ca783e0f38510caadf5a9ca1f7be5bb9aed70d (and other hashes listed).
- [Filename] Malicious RAR archive filename payloads – crafted filenames embedding Base64-encoded Bash commands used to trigger Stage 1 execution (examples not provided verbatim in source).
- [Domain / C2] Hardcoded C2 servers – Stage 1 and ELF payloads download scripts and XOR-encrypted payloads from hardcoded C2 infrastructure (specific domains/IPs not listed in article).