Linux RAR malware bypasses antivirus software

Cybersecurity researchers have uncovered a sophisticated attack chain that utilises phishing emails to deliver an open-source backdoor known as VShell. This Linux-specific malware infection begins with a spam email containing a malicious RAR archive file. Trellix researcher Sagar Bade noted that the payload is not concealed within the file content or a macro; instead, it is encoded directly in the filename. By employing shell command injection and Base64-encoded Bash payloads, the attacker transforms a simple file listing operation into an automatic malware execution trigger. This technique exploits a dangerous pattern often seen in shell scripts, where inadequate sanitisation of file names allows trivial commands like eval or echo to execute arbitrary code. Notably, traditional antivirus engines typically do not scan file names, providing an additional layer of evasion for the attackers.

The attack commences with an email disguised as an invitation to participate in a beauty product survey, enticing recipients with a monetary reward of 10 RMB for their participation. The email includes a RAR archive attachment named ‘yy.rar’, although it does not explicitly instruct users to open or extract it. This subtle social engineering tactic distracts users with the survey content, leading them to mistakenly perceive the attachment as a relevant document. Within the archive lies a file with a maliciously crafted name: “ziliao2.pdf`echo,|base64,-d|bash`”. This filename incorporates Bash-compatible code designed to execute commands when interpreted by the shell. The execution occurs only when a shell script or command attempts to parse the filename, making it impossible to create manually. Ultimately, this leads to the execution of a Base64-encoded downloader that retrieves an ELF binary from an external server, which then communicates with a command-and-control server to obtain and execute the encrypted VShell payload.