Cybercriminals can be often seen employing Linux shell scripts for various tasks, such as disabling firewalls, monitoring agents, and modifying Access Control Lists (ACLs). Recently, researchers published a report that describes the several ways in which malicious Linux shell scripts are being used to hide attacks.
Learning the techniques
Uptycs Threat Research has highlighted six frequently used evasion techniques by attackers using malicious Linux shell scripts.
The first technique involves using shell scripts to uninstall cloud-related monitoring agents including Alibaba’s Aegis and Tencent’s host security agent YunJing.
In the second technique, attackers use a malicious script to disable the firewall for evading defenses. Hackers also remove iptables rules that are commonly used for managing firewalls on Linux.
The third method uses the malicious shell script to disable Linux security modules, such as SELinux and Apparmor. These modules are used to apply Mandatory Access Control (MAC) policies.
In the fourth technique, the malicious script can be used to modify Access Control Lists (ACLs). For Linux, the Setfacl tool is used to modify or remove the ACL.
In the fifth defense evasion method, attackers can use Chattr, a utility used to set or unset specific attributes of a file, to drop their files or make them immutable and undeletable.
The final technique involves renaming common utilities such as wget and curl that help in downloading files from the remote IP. Attackers use these tools to download malicious files from their C2 server. Some security solutions may not flag these renamed tools.
The bottom line
Cybercriminals are using shell scripts in various sophisticated evasion techniques. Therefore, it has become a pressing priority to monitor every activity in the system. Researchers suggest the use of appropriate security solutions for monitoring suspicious events, processes, and network traffic, along with the patching of systems and firmware.