Linux Systems Face Attack from the 'Sindoor Dropper' Malware, Employing .desktop Files for Infection
In the digital landscape of Asia, a new malware threat has emerged, targeting Linux systems in a sophisticated and stealthy manner. This malware, dubbed the Sindoor Dropper, has been causing concern among cybersecurity experts due to its intricate design and potential for network infiltration.
The Sindoor Dropper initially masquerades as a standard PDF document, named "Note_Warfare_Ops_Sindoor.pdf.desktop". Upon download, it uses a combination of Base64 encoding and DES-CBC encryption for obfuscation, making it difficult for antivirus software to detect.
The campaign leverages lures themed around the recent India-Pakistan conflict, Operation Sindoor, to increase the likelihood of compromising sensitive networks. The initial payload of the infection process had zero detections on VirusTotal at the time of its discovery, underscoring its stealthy nature.
The multi-stage process of the Sindoor Dropper involves each component decrypting and running the next. The file downloads several components, including an AES decryptor and an encrypted downloader. The AES decryptor is a Go binary packed with UPX and intentionally corrupted by stripping its ELF magic bytes.
The malware's techniques and components resemble those previously associated with the advanced persistent threat (APT) group APT36, hinting at a possible connection.
Once executed, the malware opens a benign decoy PDF while initiating a complex, heavily obfuscated infection process in the background. The final payload is a repurposed version of MeshAgent, a legitimate open-source remote administration tool.
Through MeshAgent, the attacker gains full remote access to the compromised system, allowing them to monitor user activity, move laterally across the network, and exfiltrate sensitive data. MeshAgent connects to a command-and-control (C2) server hosted on an Amazon Web Services (AWS) EC2 instance with the specific address .
Nextron, a cybersecurity firm, has stated that the Sindoor Dropper campaign demonstrates a focus on Linux environments by threat actors. This development underscores the need for increased vigilance and robust security measures in Linux environments, traditionally considered less vulnerable than their Windows counterparts.
The Sindoor Dropper campaign uses sophisticated spear-phishing techniques, highlighting the importance of user education and awareness in the face of such threats. As the digital battlefield continues to evolve, it is crucial for organisations and individuals alike to stay informed and proactive in safeguarding their digital assets.
