Cybersecurity researchers have uncovered a new attack method that uses phishing emails and a sneaky filename trick to install malware on Linux systems.
According to Trellix, the attack begins with a phishing email offering a small reward for completing a beauty product survey. The email includes a RAR archive attachment named yy.rar, which contains a file with a specially crafted name designed to trigger malicious code execution.
Interestingly, the malware isn't hidden in the file itself, but in the file name. The name includes embedded Bash code that runs if a shell script processes the filename without proper filtering. This technique bypasses antivirus tools, which typically don't scan filenames for malicious content.
When triggered, the filename executes a Base64-encoded command that downloads a second-stage payload, which is a Linux binary that communicates with a remote server to fetch and run VShell, an open-source backdoor written in Go.
VShell allows full remote control of the infected machine, including file access, process management, port forwarding, and encrypted communication. It has been used by several Chinese hacking groups, including UNC5174, the researchers note.