Gynvael Coldwind 🐈Mar 30, 2024

Some notes from analyzing the bash part obfuscation of the xz/liblzma part – link leads to the part I found most interesting – it was added in 5.6.1:
https://gynvael.coldwind.pl/?lang=en&id=782#stage2-ext

TL;DR: in 5.6.1 there's some code added that looks for specific signatures in files in tests/files, and if found, it grabs some data from these files, deciphers them, and executes them. NO FILES WITH THESE SIGNATURES EXIST YET, so it's like a way to extend the backdooring scripts in the future by just adding new binary test files. Guess things weren't supposed to end here.

#xz #liblzma

xz/liblzma: Bash-stage Obfuscation Explained

Show threadChillyhead

@gynvael

Great write up!

Are there any guesses on who might be behind this?

Mar 30, 2024 at 10:31pmWeb
Show threadGynvael Coldwind 🐈Mar 30, 2024
@Chillyhead Thanks! No idea, though it's a pretty sure bet it's some APT group.