Trojan.Linux.XZBACKDOOR.A

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It takes advantage of certain vulnerabilities.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• {Installation Directory}/.libs/liblzma_la-crc64-fast.o → Legitimate copy of {Installation Directory}/.libs/liblzma_la-crc64_fast.o
• {Installation Directory}/.libs/liblzma_la-crc32-fast.o → Legitimate copy of {Installation Directory}/.libs/liblzma_la-crc32_fast.o
• {Installation Directory}/liblzma_la-crc64-fast.o
• {Installation Directory}/liblzma.so.5.6.0

Other System Modifications

This Trojan modifies the following file(s):

• {Installation Directory}/.libs/liblzma_la-crc64_fast.c
• {Installation Directory}/.libs/liblzma_la-crc32_fast.c
• {Installation Directory}/src/liblzma/check/crc64_fast.c
• {Installation Directory}/src/liblzma/check/crc32_fast.c

Other Details

This Trojan does the following:

• It will proceed with its malicious routine if the following conditions are met:
  • Checks if GNU indirect function support is enabled.
  • Requires shared library support.
  • Checks if the system is an x86-64 Linux environment.
  • Checks for CRC IFUNC (Indirect Function) codes.
  • Checks if GCC (GNU Compiler Collection) and GNU ld (GNU Linker) are installed on the system.
  • Checks for the presence of good-large_compressed.lzma and bad-3-corrupt_lzma2.xz.
  • Checks if liblzma/Makefile contains all of the following lines within its content:
  • am__uninstall_files_from_dir =
  • __get_cpuid(
  • am__install_max =
  • am__vpath_adj_setup =
  • am__include = include
  • all: all-recursive
  • LTLIBRARIES = \$(lib_LTLIBRARIES)
  • AM_V_CCLD = \$(am__v_CCLD_\$(V))
  • am__install_max =
  • Checks if libtool is configured to build position-independent code (PIC).
  • Checks if the environment is Debian-based or RPM-based (x86_64).
  • It checks if the hijacked functions and hidden payloads are properly injected in the following files:
  • {Installation Directory}/src/liblzma/check/crc64_fast.c
  • {Installation Directory}/src/liblzma/check/crc32_fast.c
  • {Installation Directory}/src/liblzma/check/crc_x86_clmul.h
  • {Installation Directory}/src/liblzma/check/crc_x86_clmul.h
  • Checks if libtool is configured to build with IFUNC-compatible flags.
  • Checks if lazy symbol resolution (-z lazy) is NOT enabled.
  • Checks if the malicious object file liblzma_la-crc64-fast.o exists.
• Upon successful completion of the build process, the backdoor functionality will be compiled and linked into the following file:
  • {Installation Directory}/liblzma.so.5.6.0
• It waits for an OpenSSH connection and indirectly loads the liblzma.so.5.6.0 file, which contains the malicious code.
• It renames the following files to their original names if the build fails:
  • {Installation Directory}/liblzma_la-crc32-fast.o → .libs/liblzma_la-crc32_fast.o
  • {Installation Directory}/liblzma_la-crc64-fast.o → .libs/liblzma_la-crc64_fast.o

It takes advantage of the following vulnerabilities:

• CVE-2024-3094

It deletes the following files to remove its traces in the system:

• {Installation Directory}/.libs/liblzma.a
• {Installation Directory}/.libs/liblzma.la
• {Installation Directory}/.libs/liblzma.lai
• {Installation Directory}/.libs/liblzma.so
• {Installation Directory}/.libs/liblzma_la-crc64-fast.o
• {Installation Directory}/.libs/liblzma_la-crc32-fast.o
• {Installation Directory}/liblzma_la-crc64-fast.o