Redazione RHC : 24 August 2025 08:22
Researchers at Trellix have discovered an unusual attack pattern on Linux, in which the key element is not an attachment with malicious content, but the name of the file within the archive itself. The campaign begins with a mass email campaign designed as an invitation to participate in a cosmetics survey, promising a cash bonus.
The peculiarity of this attack is that the malicious code is embedded directly in the file name, not in its content. When attempting to process such a name with unsafe scripts, commands are injected. The trick works thanks to a vulnerability in using shell constructs like eval or echo without proper filtering. Antivirus solutions typically don’t parse file names, making this method particularly insidious.
To launch malicious code, simply extracting a file from an archive isn’t enough. The danger arises when the shell or an automated script attempts to parse the file name. Then, a Base64-encoded loader is extracted from the string, which downloads and launches an ELF binary for the corresponding system architecture, be it x86_64, i386, i686, armv7l, or aarch64. The loaded module contacts the control server, receives the encrypted VShell backdoor, decrypts it, and executes it in RAM.
VShell is a Go-based remote administration tool actively used by Chinese groups, including UNC5174. It supports reverse shell, file management, process management, port forwarding, and encrypted communication with the C&C server.The program runs entirely in memory, leaving no traces on disk, which significantly complicates detection. Another threat is the ability to infect a wide range of Linux devices.
Trellix emphasizes that the technique for creating such names is impossible to perform manually: external tools or scripts are used to bypass standard input checking in the shell. This indicates a well-prepared attack infrastructure.
In parallel, Picus Security presented an analysis of the new RingReaper post-exploitation tool, which uses the io_uring asynchronous input/output mechanism in the Linux kernel.
Unlike standard read, write, send, and connect calls, this method relies on asynchronous primitives, allowing it to bypass monitoring tools that rely on intercepting system functions. RingReaper can gather information about processes, sessions, network connections, and users, obtain data from /etc/passwd, use SUID binaries to escalate privileges, and erase traces of its activity.
Both developments demonstrate the rapid evolution of Linux attack methods, from exploiting filenames in archives to stealthily exploiting low-level kernel functions. They also demonstrate that traditional defenses are proving increasingly ineffective against new camouflage and deployment approaches.
Redazione