Hackers of India

Enhancing Red Team OPSEC: Abusing Stealthy In-Memory Binary Execution Techniques in Linux

By  Pranav Sivvam  on 07 Aug 2023 @ C0c0n


Presentation Material

AI Generated Summarymay contain errors

Here is a summary of the content:

The speaker discusses a technique used by malware to remain stealthy on Linux systems. They demonstrate how an attacker can mount a temporary file system (tempfs) on the /lost+found directory, which is a popular directory in Linux distributions that users often overlook. By doing so, and creating files within this mounted directory, the attacker’s activities become invisible to other users or analysts who are part of different mount points.

The speaker demonstrates how an attacker can download a shell script onto the system using curl, but it remains hidden from others due to the separate mount namespace. This technique is useful for malicious actors who want to remain stealthy.

The speaker then discusses two examples of malware that have employed this technique: Punchan, a botnet and cryptojacker that targeted the telecom, VPS, and education sectors, and Secret Slip, which was found on the Python Package Index (PyPI) repository. Both malware used memory-based file systems to drop crypto miners and evade detection.

To detect such malicious activities, the speaker recommends having visibility into process execution, better memory scanning capabilities, behavior-based detection, and network traffic analysis.