Malicious Linux Shell Scripts Used to Evade Defenses

 

Attackers' evasive methods stretch back to the times when base64 and other popular encoding schemes were utilized. New Linux shell script methods and techniques are being used by attackers today to deactivate firewalls, monitor agents, and change access control lists (ACLs). The common evasive shell-script techniques are: 1.Uninstalling monitoring agents Monitoring agents are software elements that track the system's process and network activity on a regular basis. The monitoring agents also produce various logs, which are useful during an incident probe. The malicious script, discovered in the osquery-based sandbox, attempts to uninstall the cloud-related monitoring agent Aegis (Alibaba Cloud threat detection agent) and terminate the Aliyun service. It also tries to uninstall YunJing, a host security agent from Tencent and BCM client management agent, which is generally installed on Endpoints for risk mitigation. 2.Disabling Firewalls and Interrupts As a defensive measure, most systems and servers employ firewalls. As a defence evasive technique, the malicious software attempts to deactivate the firewall, i.e., uninterrupted firewall (ufw). In addition, attackers delete iptables rules (iptables -F), which are commonly used on Linux computers and servers for controlling firewall rules. The instructions were also exploited by attackers to deactivate non-maskable Interrupts (nmi). Watchdog is a configurable timer system that creates an interruption when a certain condition and time are met. The nmi watchdog interrupt handler would stop the process that caused the system to freeze in the case of a system freeze. To get over this defense, attackers disable the watchdog feature using the sysctl command or temporarily disabling it by setting the value to ‘0’. 3.Disabling Linux Security Modules (LSMs) Security components such as SElinux and Apparmor are also disabled by the malicious ..

Support the originator by clicking the read the rest link below.