Beware! A New Type of ‘Filename Attack’ Targets Linux Systems

On August 24, cybersecurity company Trellix disclosed a new attack chain targeting Linux systems, which is incredibly difficult to defend against.

This attack method is quite novel, resembling a “hacker ghost” hidden in the dark corners, quietly infiltrating your system.

Let’s start with the “entry point” of this attack—phishing emails.

The attackers are like cunning con artists, sending phishing emails with malicious RAR compressed files.

You might think this is just an ordinary file, but once opened, you fall into their trap.

This compressed file hides a big secret; the malicious file names are not just simple names but are embedded with Bash commands!

It’s like placing a disguised time bomb at your doorstep; as soon as you pick it up, it triggers the mechanism.

Unlike previous malicious methods hidden in macros or file contents, this time the attackers directly stuffed Base64 encoded Bash payloads into the file names.

For example, while we usually see file names like “report.pdf,” they create file names that resemble a string of mysterious code, such as “ziliao2.pdf {echo,}|{base64,-d}|bash”.

When the shell script in the system attempts to parse this file name, it inadvertently triggers the mechanism, leading to command injection and the execution of malicious code.

Why can this type of attack easily bypass antivirus software?

It turns out that antivirus engines are like careless readers who only look at the “body” and not the “title,” typically not scanning file names.

The attackers exploit this fact, much like a thief who knows the security guard won’t check the mailbox at the door, hiding the tools of their crime inside.

Moreover, shell scripts lack input sanitization when handling file names; for instance, when using eval or echo commands, they might inadvertently execute arbitrary code hidden in the file names, leading to a complete system compromise.

Once the malicious file name is parsed by the shell, it triggers a downloader that fetches architecture-compatible ELF installation files from external servers.

This is akin to a bad guy sending a “little brother” to fetch reinforcements; once the ELF file is obtained, it connects to the command and control (C2) server, receiving encrypted VShell payloads, which are then decoded and executed in memory.

This VShell is quite a formidable character; it is written in Go and supports reverse shells, file operations, process management, port forwarding, and encrypted communication.

Moreover, it is particularly “sly,” running entirely in memory, making traditional disk-based detection methods ineffective against it, like an invisible ghost wreaking havoc in your system while being able to attack various architectures of Linux devices.

This new type of attack poses a significant threat to enterprises, institutions, and individuals using Linux systems.

In China, as the application of Linux systems becomes increasingly widespread across various industries, especially in critical infrastructure and core business systems, the consequences of such an attack could be dire.

For instance, if a financial institution’s Linux server is compromised, customer information could be leaked, and fund security could be threatened; if Linux devices in industrial control systems are attacked, it could lead to production line paralysis.

In the face of this new type of attack, we cannot sit idly by.

Individual users must remain vigilant and avoid clicking on suspicious emails, especially those with attachments.

Enterprises and institutions must strengthen their cybersecurity defenses, upgrade antivirus software and firewalls, and increase detection of file names; regular cybersecurity training for employees is essential to raise awareness.

Only when everyone takes this seriously can we make it impossible for these cyber attackers to hide.

Leave a Comment