A sophisticated new attack vector is targeting Linux systems, leveraging malicious RAR archives with specially crafted filenames to bypass traditional antivirus defenses. This novel method delivers the open-source VShell backdoor, capable of providing attackers with full remote control over compromised machines. The technique cleverly embeds executable commands within file names, which are then triggered by shell scripts, evading detection as antivirus software typically does not scan filenames.

Key Takeaways

• Linux malware is being distributed via malicious RAR files with encoded commands in filenames.

• The malware, VShell, evades antivirus detection by hiding executable code in filenames.

• The attack chain begins with phishing emails disguised as survey invitations.

• VShell is a Go-based remote access tool used by Chinese hacking groups.

• The malware operates in-memory, making it harder to detect.

A Novel Attack Chain

Cybersecurity researchers have identified a new infection chain that commences with a spam email containing a malicious RAR archive. The payload is not hidden within the file's content or a macro, but rather encoded directly into the filename itself. By exploiting shell command injection and Base64-encoded Bash payloads, attackers can turn a simple file listing operation into an automatic malware execution trigger.

This technique capitalizes on a common vulnerability in shell scripts where inadequate sanitization of filenames allows for trivial commands like or to execute arbitrary code. A significant advantage of this method is its ability to circumvent conventional defenses, as antivirus engines generally do not scan filenames for malicious content.

The Infection Process

The attack begins with an email containing a RAR archive, such as . Inside, a file is present with a maliciously crafted filename, for example: {echo,<Base64-encoded command>}|{base64,-d}|bash`. This filename incorporates Bash-compatible code designed to execute commands when interpreted by the shell. Execution is not triggered by simply extracting the file, but only when a shell script or command attempts to parse the filename.

It's important to note that such filenames cannot be manually created, suggesting they are generated using other programming languages or dropped by external tools that bypass shell input validation. This leads to the execution of an embedded Base64-encoded downloader, which then fetches an ELF binary from an external server, tailored for the target system's architecture. This binary then communicates with a command-and-control (C2) server to retrieve the encrypted VShell payload, decode it, and execute it on the host.

Social Engineering and VShell Capabilities

The phishing emails are often disguised as invitations for a beauty product survey, enticing recipients with a small monetary reward for completion. The email includes the RAR archive attachment, but subtly, without explicit instructions to open or extract it. The social engineering aspect relies on distracting the user with the survey content, potentially leading them to mistake the attachment for a related document.

VShell is a powerful Go-based remote access tool that has been utilized by various Chinese hacking groups. It supports essential functionalities such as reverse shells, file operations, process management, port forwarding, and encrypted C2 communications. The malware's ability to operate entirely in-memory further enhances its stealth, avoiding disk-based detection and making it a significant threat to a wide range of Linux devices.

Evolving Linux Threats

This development highlights a concerning evolution in Linux malware delivery, where a file's name within an archive can be weaponized for command execution. The infection chain exploits command injection in shell loops and leverages Linux's permissive execution environment to deploy VShell, a backdoor capable of complete system control. This comes as other advanced Linux threats, like RingReaper, are also emerging, utilizing kernel features like io_uring to circumvent monitoring tools and evade detection.

Sources

• Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection, The Hacker News.