Cybercriminals can be often seen employing Linux shell scripts for various tasks, such as disabling firewalls, monitoring agents, and modifying Access Control Lists (ACLs). Researchers published a report that describes the several ways in which malicious Linux shell scripts are being used to hide attacks.
Researchers has highlighted six frequently used evasion techniques by attackers using malicious Linux shell scripts.
- First technique involves using shell scripts to uninstall cloud-related monitoring agents including Alibaba’s Aegis and Tencent’s host security agent YunJing.
- Second technique, attackers use a malicious script to disable the firewall for evading defenses. Hackers also remove iptables rules that are commonly used for managing firewalls on Linux.
- Third method uses the malicious shell script to disable Linux security modules, such as SELinux and Apparmor. These modules are used to apply Mandatory Access Control (MAC) policies.
- Fourth technique, the malicious script can be used to modify Access Control Lists (ACLs). For Linux, the Setfacl tool is used to modify or remove the ACL.
- Fifth defense evasion method, attackers can use Chattr, a utility used to set or unset specific attributes of a file, to drop their files or make them immutable and undeletable.
- Sixth technique involves renaming common utilities such as wget and curl that help in downloading files from the remote IP. Attackers use these tools to download malicious files from their C2 server. Some security solutions may not flag these renamed tools.