BlueShell Used in Attacks Against Linux Systems in Korea (2) – ASEC BLOG

AhnLab SEcurity intelligence Center (ASEC) previously uploaded the article “BlueShell Used in APT Attacks Against Korean and Thai Targets” [1] on the ASEC blog which introduced BlueShell malware strains that were used against Linux systems in Thailand and Korea. The threat actor customized the BlueShell backdoor malware for their attack, and configured the malware’s operating condition to only work in specific systems.

Even after the article’s release, the BlueShell malware strains developed by the same threat actor are being continuously collected via VirusTotal. Although the host names of Linux systems are scanned as part of the condition for scanning attack targets, it is difficult to determine the attack targets with just the host names. It is also difficult to figure out relevant information such as the initial access methods with just the malware. However, a new dropper malware disguised as its id command was discovered and additional malware along with C&C servers were also found. As such, this article will analyze and summarize the BlueShell malware strains previously mentioned on the blog along with the additionally collected malware strains.

1. BlueShell

BlueShell is a backdoor malware developed using the Go language. It is publicly available on GitHub and supports Windows, Linux, and Mac OS. It is worth noting that the ReadMe file containing the description of the malware is written in Chinese, hinting that the developer may be a Chinese speaker. The threat actor has been using BlueShell to launch continuous attacks on Korean victims. The previous blog post also introduced cases of the Dalbit group and other unidentified threat actors. As a backdoor malware, BlueShell can receive commands from the C&C server and execute the threat actor’s malicious commands. Consequently, the threat actor takes control of the system where BlueShell is installed.

Figure 1. BlueShell backdoor published on GitHub

In terms of features, BlueShell has a simple structure and supports TLS encryption with the C&C server communications to bypass network detection. Features that can be run by receiving threat actor’s commands include remote command execution, file download and upload, and Socks5 proxy.

The BlueShell malware has three configuration data: the IP address of the C&C server, port number, and wait time. Ordinarily, the configuration data are hard-coded and saved into the binary when the malware is created, and are used after they are reset using the init() function.

2. Analysis of BlueShell Used in the Attack

2.1. Customized BlueShell

Unlike typical BlueShell, the customized BlueShell backdoor used in the attack does not contain configuration data such as the C&C address in the internal binary. Instead, when it is executed, it finds the configuration data by reading the environment variables received and decrypting them in Base64. The names of the environment variables confirmed so far are “lgdt” and “wtim.”

Figure 2. Routine for decrypting environment variables and using them as configuration data

Once the environment variables are decrypted, four arguments can be found as shown in the table below. The fourth argument represents the execution condition. If there are four arguments, it finds the Linux system’s host name and compares it with the string received from the fourth argument. If they do not match, the process is terminated. This means that the customized BlueShell on its own cannot find C&C addresses and information related to target systems, and the configuration data that runs the malware is inside the dropper.

Argument Description
#1 C&C server address
#2 C&C server port number
#3 Wait time
#4 Host name condition
Table 1. Customized BlueShell’s configuration data
Figure 3. Routine for checking the execution condition

2.2. BlueShell Dropper Malware

During the execution process, the dropper uses Xor to decrypt the encrypted BlueShell saved in the internal .data section with the 0x63 key. The decrypted data is in a compressed form, and it is decompressed and generated into a path such as “/tmp/.ICECache.”

Figure 4. The dropper’s main routine

The dropper executes and deletes the generated BlueShell, meaning that BlueShell only runs in the memory area. Note that the dropper not only executes the malware but also sends the string “/usr/libexec/rpciod” instead of the existing path as an argument. This makes the process name appear similar to a normal process in the process lookup command.

Figure 5. BlueShell backdoor operating under the guise of a normal process

It is also notable that environment variables containing configuration data is sent before execution. The BlueShell backdoor mentioned above decrypts this data and uses it as a C&C server address and execution condition.

Figure 6. Environment variables that contain configuration data

2.3. Parent Dropper Malware

The recently discovered variation included a parent dropper that not only created the two types of malware mentioned above but also a dropper as well. The parent dropper’s name was collected as “id” and as its name implies, it disguises Linux’s “id” command. Simultaneously, it installs the BlueShell dropper and ultimately the BlueShell backdoor malware itself. Details are yet to be confirmed, but the threat actor likely changed the binary where the “id” command was located to maintain persistence so that the malware can continuously run whenever the command is run.

When the malware is run, it first reads itself, saves the data into the memory, then self-terminates. Afterward, the malware writes and executes the file with the same name as the running process. The file executed here is the BlueShell dropper malware discussed above. Note that the malware first checks if the process “/usr/libexec/rpciod” (BlueShell’s fake name) is running and only operates when it is not the case. When it fails to self-terminate, it installs the malware in the “/tmp/.X15-lock” path.

Next, it deletes the generated files again and recreates and executes the executable that is in charge of the “id” command with the same name. Unlike the BlueShell dropper discussed above, the parent dropper retains the binary without encrypting them.

Figure 7. The BlueShell dropper included in the binary and the id command binary

As a result, the result of the authentic “id” command is printed and deceives users into thinking that the “id” command was used normally. Once this process is complete, the malware deletes the “id” file and rewrites the old files saved in the memory in the same path.

Figure 8. Result of malware execution

If the malware is located in a normal path like “/bin/id,” a normal command execution result will be printed and BlueShell will be run simultaneously whenever the system’s process or the user uses the “id” command.

3. Categorization of Confirmed Malware

The following is a list of BlueShell malware strains confirmed up until now. The threat actor developed the malware at least seven times and utilized them in their attacks, making the strains fundamentally identical to each other. Judging from the countries that uploaded these malware samples on VirusTotal, most of the victims were situated in Korea and were continuously attacked from around 2022 until 2023.

Date of Attack Name and Path
(Dropper / BlueShell)
Country Environment Variable Disguised Process Source Code Information
2022-09-01 (Upload) orbds
/tmp/.ICECache
TH lgdt /usr/sbin/cron -f /home/User/Desktop/client/main.go
Dec. 9, 2022 KR lgdt /home/User/Desktop/20221209/client/main.go
Feb. 2, 2023 rpcd
/tmp/kthread
KR lgdt /sbin/rpcd /home/User/Desktop/20230202/client/main.go
Feb. 16, 2023 KR wtim /home/User/Desktop/20230216/client/main.go
Mar. 15, 2023 sssd_pam.log KR wtim /home/User/Desktop/QX20230315/client/main.go
2023-11-14 (Upload) orbds
/tmp/.ICECache
BR lgdt /usr/lib/systemd/systemd-udevd /home/User/Desktop/client/main.go
2023-12-21 (Upload) id
/tmp/.ICECache
KR lgdt /usr/libexec/rpciod /home/User/Desktop/client/main.go
Table 2. Malware type

Note that BlueShell’s binary developed in Go also contains the source code’s path data. This also shows the threat actor’s working directories. In some variations, directory names are set as dates. The dates of attacks in the table above are categorized based on such names. In cases where the information was unavailable, the dates were based on the dates of collection.

Figure 9. Go source code directory

4. Conclusion

Recently, there have been continuous attacks against Korean Linux systems. Details are yet to be uncovered, but the threat actor is known to use their in-house BlueShell malware to attack their victims. BlueShell is a backdoor malware that receives commands from the threat actor and performs various malicious activities when installed in the system. Therefore once BlueShell is installed in the system, it means that the threat actor has seized control of the system.

To prevent such security incidents, users must check their environment configurations that are susceptible to infection and update relevant systems to the latest version to protect their systems. Also, V3 should be updated to the latest version so that malware infection can be prevented.

File Detection
– Trojan/Linux.BlueShell.XE216 (2023.02.20.03)
– Trojan/Linux.Agent (2023.08.26.00)
– Dropper/Linux.BlueShell.2904696 (2023.09.04.02)
– Dropper/Linux.BlueShell.2888120 (2023.09.04.02)
– Dropper/Linux.BlueShell.2904376 (2024.02.05.02)
– Dropper/Linux.BlueShell.2978160 (2024.02.05.02)

IoC
MD5
– 3f022d65129238c2d34e41deba3e24d3 : BlueShell Dropper (orbds) – 2022-09-01
– 30fe6a0ba1d77e05a19d87fcf99e7ca5 : BlueShell Backdoor (/tmp/.ICECache) – 2022-09-01
– 985000d076e7720660ab8435639d5ad5 : BlueShell Backdoor – 2022-12-09
– 2ed0a868520c31e27e69a0ab1a4e690d : BlueShell Dropper (rpcd) – 2023-02-02
– 425c761a125b7cb674887121312bd16c : BlueShell Backdoor (/tmp/kthread) – 2023-02-02
– d66b4b2bbe8e8cf98a5209fafa4fcb36 : BlueShell Backdoor – 2023-02-16
– 68f10e37a6b84ba0fb32902f35d0bfc2 : BlueShell Backdoor (sssd_pam.log) – 2023-03-15
– a197fe59fbbc6b8be991c521f885a70c : BlueShell Dropper (orbds) – 2023-11-14
– a27dcd68061e7bb78b149e528c66b063 : BlueShell Backdoor (/tmp/.ICECache) – 2023-11-14
– 86270bf40274cd3086baf215dcf5a145 : id Dropper (id) 2023-12-21
– 9f90d39a8dccfccd0bdfec9c7b4b7082 : BlueShell Dropper (id) – 2023-12-21
– b492233b1043ae9d899a130ac3fd06bb : BlueShell Backdoor (/tmp/.ICECache) – 2023-12-21

C&C
– 202.87.223[.]124:443
– 20.200.213[.]72:3389

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/61549/