The Unix-programming community commonly uses shell scripts as a simple way to execute multiple Linux commands within a single file. Many users do this as part of a regular operational workload manipulating files, executing programs, and printing text.

However, as a shell interpreter is available in every Unix machine, it is also an interesting and dynamic tool abused by malicious actors. We have previously written about payloads deployed via shell scripts to abuse misconfigured Redis instances, expose Docker APIs, or remove rival cryptocurrency miners. Here we take note of the ways shell scripts have changed in the hands of cybercriminals, and how it can be employed in the development of malware payloads in malicious routines.

Changing commands and programming techniques

The technique of abusing the command-line interpreter is not new; in fact, it's widely leveraged in the wild. However, we started to notice the increase in the scripts' changes and quality.

In the past, shell scripts were relatively straightforward combinations of simple commands with plain links directly deploying the payload. But as the threats started to evolve, malicious actors are now using more advanced commands and programming techniques.

figure 1 linux shell scripts evolve — Figure 1. Script evolution from plain text (left) to Base64 encoded payload (right).

Plain text links were replaced with Base64-encoded text, while some of the code chunks were downloaded or encoded payloads. This is likely done to hide direct payload links, evade security rules used for their identification, and make analysis more difficult.

figure 2 linux shell scripts evolve — Figure 2. Code chunk replacement with Base64 encoding

The encoded text is decoded using Base64 and passed to a bash shell interpreter to execute the shell script.

figure 3 linux shell scripts evolve — Figure 3. Part of the decoded payload encoded by Base64

The commands were formerly executed regardless of the targeted service running on the server. Nowadays, the script is capable of checking if the service is running or not, and saving some of the CPU time for their payloads. It can be executed together with newer versions also encoded with Base64. It can also substitute variables for specific links.

figure 4 linux shell scripts evolve — Figure 4. Commands that uninstall the service without checking if it is installed

figure 5 linux shell scripts evolve — Figure 5. Commands that uninstall the service when it is found running

figure 6 linux shell scripts evolve — Figure 6. The URL of wget replaced by a variable

We also noticed another development in the use of Pastebin for storing parts of the script, such as in the URL and the whole payload or helper application, as in this case of a malicious routine dropping an XMrig cryptocurrency miner.

figure 7 linux shell scripts evolve — Figure 7. Base64 encoded config and Pastebin URLs

figure 8 linux shell scripts evolve — Figure 8. Base64-encoded XMrig

Conclusion

Malicious actors constantly improve and optimize their routines and techniques, such as their shell scripts capability to obfuscate and deliver payloads. To maximize profits and evade improving detection and mitigation technologies, cybercriminals will employ even previously documented and discovered techniques for other operating systems or combine them with new ones. While some of the techniques have been used in previously observed malware routines or environments, these are quite new for shell scripts and malware families.

In the past, most of the payloads deployments were in plain text and focused on their specific tasks. Now we're beginning to see obfuscation mechanisms inside shell scripts. We should expect even more obfuscation as malware authors try to hide actual payloads in the future.

It's still quite early to claim that these techniques signify that Linux obfuscations are becoming more sophisticated. However, this evolution of shell scripts, wherein they're being used to deliver payloads, is worth noting for further caution and observation. Moreover, researchers can expect plain text to be less common; they're going to need to decode several layers at a time for a complete analysis.

Trend Micro solutions

Trend Micro solutions powered by XGen™ security, such as ServerProtect for Linux and Trend Micro Network Defense, can detect related malicious files and URLs and protect users' systems. Trend Micro Smart Protection Suites and Trend Micro Worry-Free™ Business Security, which have behavior monitoring capabilities, can additionally defend against these types of threats by detecting malicious files, thwarting behaviors and routines associated with malicious activities, as well as blocking all related malicious URLs.

Indicators of Compromise (IoCs)

SHA256	Detection Name
1aaf7bc48ff75e870db4fe6ec0b3ed9d99876d7e2fb3d5c4613cca92bbb95e1b	Trojan.SH.MALXMR.UWEKK
bea4008c0f7df9941121ddedc387429b2f26a718f46d589608b993c33f69b828	Trojan.SH.MALXMR.UWEKK
0742efecbd7af343213a50cc5fd5cd2f8475613cfe6fb51f4296a7ec4533940d	Trojan.SH.HADGLIDER.TSE
3c7faf7512565d86b1ec4fe2810b2006b75c3476b4a5b955f0141d9a1c237d38	Coinminer.Linux.MALXMR.UWELH
3eeaa9d4a44c2e1da05decfce54975f7510b31113d8361ff344c98d3ddd30bf4
543ceebd292e0e2c324372f3ab82401015f78b60778c6e38f438f98861fd9a2d
882473c3100389e563b05051ae1b843f8dd24c807a30acf0c6749cd38137876b
c82074344cf24327fbb15fd5b8276a7681f77ccacef7acc146b4cffa46dabf62
eaf9dd8efe43dcf606ec0a531d5a46a9d84e80b54aa4a019fa93884f18c707c3
f65bea9c1242ca92d4038a05252a70cf70f16618cf548b78f120783dfb9ccd0e

The Evolution of Malicious Shell Scripts

Changing commands and programming techniques

Authors

Resources

Support

About Trend

Resources

Support

About Trend

The Americas

Middle East & Africa

Europe

Asia & Pacific