Phishing emails deliver RAR archives containing files whose filenames embed Base64-encoded Bash commands that execute when interpreted by the shell. The payload resides in the filename rather than file content or macros, exploiting shell command injection and Base64 decoding to trigger automatic execution during file listing or parsing. Inadequate filename sanitization in shell scripts, particularly use of eval or unsafely handled echo, enables arbitrary code execution. Antivirus engines often ignore filenames, allowing the technique to bypass traditional defenses. The chain culminates in a Base64-encoded downloader that retrieves the VShell open-source backdoor from an external server and installs it on Linux hosts.
Through clever use of shell command injection and Base64-encoded Bash payloads, the attacker turns a simple file listing operation into an automatic malware execution trigger." The technique, the cybersecurity company added, takes advantage of a simple yet dangerous pattern commonly observed in shell scripts that arises when file names are evaluated with inadequate sanitization, thereby causing a trivial command like eval or echo to facilitate the execution of arbitrary code.
The starting point of the attack is an email message containing a RAR archive, which includes a file with a maliciously crafted file name: "ziliao2.pdf`{echo,<Base64-encoded command>}|{base64,-d}|bash`. Specifically, the file name incorporates Bash-compatible code that's engineered to execute commands when it's interpreted by the shell. It's worth noting that simply extracting the file from the archive does not trigger execution. Rather, it occurs only when a shell script or command attempts to parse the file name.
Collection
[
|
...
]