Yesterday, I discovered a malicious Bash script that installs a GSocket backdoor on the victim\u2019s computer. I don\u2019t know the source of the script not how it is delivered to the victim.<\/p>\n
GSocket[1<\/a>] is a networking tool, but also a relay infrastructure, that enables direct, peer-to-peer\u2013style communication between systems using a shared secret instead of IP addresses or open ports. It works by having both sides connect outbound to a global relay network. Tools like gs-netcat can provide remote shells, file transfer, or tunneling and bypass classic security controls. The script that I found uses a copy of gs-netcat but the way it implements persistence and anti-forensic techniques deserves a review.<\/p>\n A few weeks ago, I found a sample that used GSocket connectivity as a C2 channel. It makes me curious and I started to hunt for more samples. Bingo! The new one that I found (SHA256:6ce69f0a0db6c5e1479d2b05fb361846957f5ad8170f5e43c7d66928a43f3286[2<\/a>]) has been detected by only 17 antivirus solutions on VT. The script is not obfuscated and even has comments so I think that it was uploaded on VT for “testing” purposes by the developper (just a guess)<\/p>\n Let\u2019s have a look at the techniques used.\u00a0When you execute it in a sandbox, you see this:<\/p>\n Note the identification of the tool (“G-Socket Bypass Stealth”) and the reference to “@bboscat”[3<\/a>]<\/p>\n A GSocket client is downloaded, started and is talking to the following IP:<\/p>\n The malware implements persistence through different well-known techniques on Linux. First, a cron job is created:<\/p>\n Every top-hour, the disguised gs-netcat will be killed (if running) and restarted. To improve persistence, the same code is added to the victim’s .profile:<\/p>\n The malware itself is copied in .ssh\/putty and the GSocket shared secret stored in a fake SSH key file:<\/p>\n The ELF file id_rsa (SHA256: d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa) is the gs-netcat tool downloaded directly from the G-Socket CDN.<\/p>\n Ok, let\u2019s have a look at an interesting anti-forensic technique implemented in the Bash script. File operations are not simply performed using classic commands like cp, rm, mv, etc. They are embedded in \u201chelper\u201d functions with a timestamp tracking\/restoration system so the malware can later hide filesystem changes. Here is an example with a function that will create a file:<\/p>\n Here are also two interesting function:<\/p>\n ts_is_marked() checks whether a file\/directory is already registered for timestamp restoration, preventing duplicate tracking and ensuring the script\u2019s anti-forensic timestamp manipulation works correctly. I asked ChatGPT to generate a graph that explains this technique:<\/p>\n Finally,\u00a0because it\u2019s fully based on Bash, the script will infect all UNIX flavors, MacOS included:<\/p>\n [1] https:\/\/www.gsocket.io<\/a> Xavier Mertens (@xme) (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n \t![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260219-1.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260319-2.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260319-3.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260319-4.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260319-5.png?ssl=1\")
<\/p>\n\nmk_file()\n{\n local fn\n local oldest\n local pdir\n local pdir_added\n fn=\"$1\"\n local exists\n\n # DEBUGF \"${CC}MK_FILE($fn)${CN}\"\n pdir=\"$(dirname \"$fn\")\"\n [[ -e \"$fn\" ]] && exists=1\n\n ts_is_marked \"$pdir\" || {\n # HERE: Parent not tracked\n _ts_add \"$pdir\" \"<NOT BY XMKDIR>\"\n pdir_added=1\n }\n\n ts_is_marked \"$fn\" || {\n # HERE: Not yet tracked\n _ts_get_ts \"$fn\"\n # Do not add creation fails.\n touch \"$fn\" 2>\/dev\/null || {\n # HERE: Permission denied\n [[ -n \"$pdir_added\" ]] && {\n # Remove pdir if it was added above\n # Bash <5.0 does not support arr[-1]\n # Quote (\") to silence shellcheck\n unset \"_ts_ts_a[${#_ts_ts_a[@]}-1]\"\n unset \"_ts_fn_a[${#_ts_fn_a[@]}-1]\"\n unset \"_ts_mkdir_fn_a[${#_ts_mkdir_fn_a[@]}-1]\"\n }\n return 69 # False\n }\n [[ -z $exists ]] && chmod 600 \"$fn\"\n _ts_ts_a+=(\"$_ts_ts\")\n _ts_fn_a+=(\"$fn\");\n _ts_mkdir_fn_a+=(\"<NOT BY XMKDIR>\")\n return\n }\n\n touch \"$fn\" 2>\/dev\/null || return\n [[ -z $exists ]] && chmod 600 \"$fn\"\n true\n}<\/pre>\n\n# Restore timestamp of files\nts_restore()\n{\n local fn\n local n\n local ts\n\n [[ ${#_ts_fn_a[@]} -ne ${#_ts_ts_a[@]} ]] && { echo >&2 \"Ooops\"; return; }\n\n n=0\n while :; do\n [[ $n -eq \"${#_ts_fn_a[@]}\" ]] && break\n ts=\"${_ts_ts_a[$n]}\"\n fn=\"${_ts_fn_a[$n]}\"\n # DEBUGF \"RESTORE-TS ${fn} ${ts}\"\n ((n++))\n\n _ts_fix \"$fn\" \"$ts\"\n done\n unset _ts_fn_a\n unset _ts_ts_a\n\n n=0\n while :; do\n [[ $n -eq \"${#_ts_systemd_ts_a[@]}\" ]] && break\n ts=\"${_ts_systemd_ts_a[$n]}\"\n fn=\"${_ts_systemd_fn_a[$n]}\"\n # DEBUGF \"RESTORE-LAST-TS ${fn} ${ts}\"\n ((n++))\n\n _ts_fix \"$fn\" \"$ts\" \"symlink\"\n done\n unset _ts_systemd_fn_a\n unset _ts_systemd_ts_a\n}\n\nts_is_marked()\n{\n local fn\n local a\n fn=\"$1\"\n\n for a in \"${_ts_fn_a[@]}\"; do\n [[ \"$a\" = \"$fn\" ]] && return 0 # True\n done\n\n return 1 # False\n}<\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/84b29eb7dcfbaa3f1e2d0d8004e1fdc7a23bf5c85f226e52611c22e5530be9de.png?ssl=1\")
<\/p>\n\n[[ -z \"$OSTYPE\" ]] && {\n local osname\n osname=\"$(uname -s)\"\n if [[ \"$osname\" == *FreeBSD* ]]; then\n OSTYPE=\"FreeBSD\"\n elif [[ \"$osname\" == *Darwin* ]]; then\n OSTYPE=\"darwin22.0\"\n elif [[ \"$osname\" == *OpenBSD* ]]; then\n OSTYPE=\"openbsd7.3\"\n elif [[ \"$osname\" == *Linux* ]]; then\n OSTYPE=\"linux-gnu\"\n fi\n}<\/pre>\n
\n[2]\u00a0https:\/\/www.virustotal.com\/gui\/file\/6ce69f0a0db6c5e1479d2b05fb361846957f5ad8170f5e43c7d66928a43f3286\/telemetry
\n\u200b\u200b\u200b\u200b\u200b\u200b\u200b<\/a>[3]\u00a0https:\/\/zone-xsec.com\/archive\/attacker\/%40bboscat<\/a><\/p>\n
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n
\n
<\/BR><\/p>\n