The persistence is ensured by copying a script similarly named as the current filename to the /usr/lib/systemd/system/ directory, and creating a symlink to this file in the /etc/ystem/system/multi-user.target.wants/ directory. Thus, this method only works if the current process has root privileges. The content of the script is:
After running the code dependent on the parameters, if the operator has not chosen a GUID with the “-f” parameter, the malware generates a random GUID and writes it to a file similarly named as the current file, with a “d” appended to it. Then, the malware retrieves information on the compromised computer and sends it to the C&C.
The following information is sent to the C&C, encrypted with a hardcoded key and DES CBC algorithm:
GUID Host name Username Local IP address and port used to send the request Current PID Kernel version and machine architecture Current file path Boolean (0 if it was launched with exactly one parameter, 1 otherwise)
For the DNS C&C communication version, the malware retrieves the configured DNS server by reading the content of the /etc/resolv.conf file, or uses the DNS server operated by Google at IP address 188.8.131.52.
In 2022, we already noticed that this threat actor was interested in platforms other than Windows, with the rshell malware family running on Linux and Mac OS. For these reasons, we would not be surprised to see SysUpdate samples for the Mac OS platform in the future. Interestingly, most of