Trojan.Linux.XZBACKDOOR.A

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• {Installation Directory}/.libs/liblzma_la-crc64-fast.o → Legitimate copy of {Installation Directory}/.libs/liblzma_la-crc64_fast.o
• {Installation Directory}/.libs/liblzma_la-crc32-fast.o → Legitimate copy of {Installation Directory}/.libs/liblzma_la-crc32_fast.o
• {Installation Directory}/liblzma_la-crc64-fast.o
• {Installation Directory}/liblzma.so.5.6.0

Otras modificaciones del sistema

Modifica los archivos siguientes:

• {Installation Directory}/.libs/liblzma_la-crc64_fast.c
• {Installation Directory}/.libs/liblzma_la-crc32_fast.c
• {Installation Directory}/src/liblzma/check/crc64_fast.c
• {Installation Directory}/src/liblzma/check/crc32_fast.c

Otros detalles

Hace lo siguiente:

• It will proceed with its malicious routine if the following conditions are met:
  • Checks if GNU indirect function support is enabled.
  • Requires shared library support.
  • Checks if the system is an x86-64 Linux environment.
  • Checks for CRC IFUNC (Indirect Function) codes.
  • Checks if GCC (GNU Compiler Collection) and GNU ld (GNU Linker) are installed on the system.
  • Checks for the presence of good-large_compressed.lzma and bad-3-corrupt_lzma2.xz.
  • Checks if liblzma/Makefile contains all of the following lines within its content:
  • am__uninstall_files_from_dir =
  • __get_cpuid(
  • am__install_max =
  • am__vpath_adj_setup =
  • am__include = include
  • all: all-recursive
  • LTLIBRARIES = \$(lib_LTLIBRARIES)
  • AM_V_CCLD = \$(am__v_CCLD_\$(V))
  • am__install_max =
  • Checks if libtool is configured to build position-independent code (PIC).
  • Checks if the environment is Debian-based or RPM-based (x86_64).
  • It checks if the hijacked functions and hidden payloads are properly injected in the following files:
  • {Installation Directory}/src/liblzma/check/crc64_fast.c
  • {Installation Directory}/src/liblzma/check/crc32_fast.c
  • {Installation Directory}/src/liblzma/check/crc_x86_clmul.h
  • {Installation Directory}/src/liblzma/check/crc_x86_clmul.h
  • Checks if libtool is configured to build with IFUNC-compatible flags.
  • Checks if lazy symbol resolution (-z lazy) is NOT enabled.
  • Checks if the malicious object file liblzma_la-crc64-fast.o exists.
• Upon successful completion of the build process, the backdoor functionality will be compiled and linked into the following file:
  • {Installation Directory}/liblzma.so.5.6.0
• It waits for an OpenSSH connection and indirectly loads the liblzma.so.5.6.0 file, which contains the malicious code.
• It renames the following files to their original names if the build fails:
  • {Installation Directory}/liblzma_la-crc32-fast.o → .libs/liblzma_la-crc32_fast.o
  • {Installation Directory}/liblzma_la-crc64-fast.o → .libs/liblzma_la-crc64_fast.o