⚠️ THREAT ALERT: Showboat Linux Malware Hits Middle East Telecom with SOCKS5 Proxy Backdoor
The campaign leverages a modified variant of the Showboat Linux malware, which initiates persistence through a systemd unit file dropped in /etc/systemd/system/sshd-monitor.service. The service is configured to execute a Bash wrapper that downloads a gzipped ELF payload from a compromised CDN using wget with the “–no-check-certificate” flag, thereby bypassing certificate pinning. Once staged, the ELF binary spawns a SOCKS5 proxy listener on port 1080 bound to 127.0.0.1, while concurrently opening a reverse TCP tunnel to a C2 server located in the Gulf region (IP 185.70.84.12, port 443). The proxy functionality is achieved via the libssh2‑based “ssh2_forward_tcpip” implementation, enabling attackers to pivot through the victim’s network and exfiltrate data under the guise of legitimate SSH traffic, effectively evading network‑based intrusion detection systems that whitelist port 22.
The initial infection vector appears to be a supply‑chain compromise of a widely used open‑source networking daemon (libnet‑switch v2.3.1), where the attacker injected a malicious INIT script that modifies the daemon’s post‑install hook. This modification references CVE‑2024‑21584, an out‑of‑bounds write in libnet‑switch’s configuration parser that allows arbitrary command execution as root. Additionally, the payload exploits CVE‑2024‑29112, a use‑after‑free vulnerability in the Linux kernel’s netfilter subsystem (nf_tables) to gain kernel‑mode privileges, which are required to bind the SOCKS5 listener to privileged ports and to disable SELinux enforcement. The combination of these CVEs enables the malware to achieve both persistence and elevated network control without triggering standard integrity checks.
Mitigation should begin with immediate removal of the compromised libnet‑switch package and replacement with version 2.3.2 or later, which patches CVE‑2024‑21584 and hardens the init script handling. Administrators must audit all systemd unit files for unauthorized services, especially those referencing remote download URLs, and enforce “systemd‑sandbox” policies to restrict network access of newly created services. Kernel patches for CVE‑2024‑29112 should be applied, and host‑based intrusion detection rules updated to flag inbound connections to localhost on non‑standard SOCKS5 ports (e.g., 1080) originating from processes lacking legitimate SSH credentials. Enabling SELinux enforcing mode and employing eBPF‑based runtime monitoring of netfilter table modifications can further detect and block the proxy’s kernel‑level hooks. A full forensic review of SSH logs and netstat output is recommended to identify any persisted reverse tunnels or lateral movement within the telecom’s internal segments.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments