Recently, a new type of fileless attack on Linux systems has emerged, which we have named “VShell“. The attackers employ fileless attack techniques, utilizing carefully crafted RAR filenames to trigger malicious code without explicit user execution. This type of attack does not rely on traditional software vulnerabilities but exploits common filename handling oversights in Linux shell scripts, silently infecting the target Linux system. This discovery challenges the traditional perception of relative safety in Linux environments, demonstrating how attackers can bypass conventional security measures through innovative methods to achieve deep system penetration.
VShell is a new type of fileless attack targeting Linux systems, primarily delivered through phishing emails containing malicious RAR archives. It utilizes Base64 encoded Bash commands in the filename to trigger malware execution, bypassing traditional antivirus detection, ultimately downloading and executing the VShell backdoor program, allowing attackers to remotely control the infected system.
Attack Process
1. Initial Delivery: The attacker disguises as a cosmetics survey invitation in a phishing email, enticing the recipient to open an email containing a malicious RAR archive. The RAR file contains a carefully crafted malicious filename, such as “ziliao2.pdf\