underisk [none/use name]@hexbear.net to technology@hexbear.netEnglish · 8 months agoAnalysis of bash-stage obfuscation used to hide the liblzma/xz backdoorgynvael.coldwind.plexternal-linkmessage-square2fedilinkarrow-up113arrow-down10file-textcross-posted to: hackernews@lemmy.smeargle.fans
arrow-up113arrow-down1external-linkAnalysis of bash-stage obfuscation used to hide the liblzma/xz backdoorgynvael.coldwind.plunderisk [none/use name]@hexbear.net to technology@hexbear.netEnglish · 8 months agomessage-square2fedilinkfile-textcross-posted to: hackernews@lemmy.smeargle.fans
payload appears to have been hidden in test data then decrypted and injected during the build process.
minus-squareaddielinkfedilinkEnglisharrow-up3·8 months agoOkay - so it was cleverly hidden. Real question is what the binary blob does, so we can properly assess the damage…
minus-squareunderisk [none/use name]@hexbear.netOPlinkfedilinkEnglisharrow-up2·8 months agoPreliminary stuff I read yesterday suggests that it’s RCE triggered by a signal sent to SSHD. Safest bet is to nuke your system if you had the exploitable library running with an exposed sshd.
Okay - so it was cleverly hidden. Real question is what the binary blob does, so we can properly assess the damage…
Preliminary stuff I read yesterday suggests that it’s RCE triggered by a signal sent to SSHD. Safest bet is to nuke your system if you had the exploitable library running with an exposed sshd.