389. Another Group Leverages Social Engineering to Deliver Linux Backdoors

Hello everyone!

Another group has started using social engineering to deliver a Linux backdoor - though in this case, they essentially rewrote a Windows version of it. Let’s take a look at the techniques they used and how they can be detected or proactively hunted.

This time, the source of information is a report by the Symantec and Carbon Black Threat Hunter Team on a group called Harvester.

To disguise a malicious ELF file, the attackers used the Masquerade File Type (T1036.008) technique by giving the malicious file a “. pdf” extension—for example, “Details Format. pdf”. As you can see, there’s a space after the dot, which creates an opportunity for detection:

Look for events involving the creation or execution of suspicious files with the “. pdf” extension.

The attackers used two persistence methods on the compromised system. First, the GoGra backdoor creates a new service at ~/.config/systemd/user/userservice (Systemd Service (T1543.002)). Second, it creates an autostart entry at ~/.config/autostart/abc.desktop (XDG Autostart Entries (T1547.013)). These persistence methods also open up opportunities for proactive hunting:

Look for events involving the creation of suspicious files in the directories ~/.config/systemd/user/ and ~/.config/autostart/.

To maintain communication with the backdoor, the attackers abused the Microsoft Graph API (Web Service (T1102)), which also provides an opportunity for proactive hunting:

Look for communication events between suspicious processes and graph[.]microsoft.com.

Finally, the backdoor allowed attackers to execute commands via /bin/bash -c (Unix Shell (T1059.004)), giving us another proactive hunting angle:

Look for events where bash -c is launched by suspicious parent processes.

See you soon!