1. Overview
The BlueShell vulnerability is a backdoor malware developed in the Go language.
A simple form of backdoor, the BlueShell vulnerability supports TLS encryption for communication with C&C servers to bypass network detection and execute attacker commands (remote command execution, file download/upload, Socks5 proxy).
Source: GitHub https://github.com/restran/BlueShell
2. Attack Process
BlueShell has three configuration data: the IP address, port number, and latency of the C&C server. In addition, it can receive a total of four commands ("shell", "upload", "download", and "socks") from the C2 server, and attacks through specific actions according to each command.
2-1 Shell command
- If the command received from the C2 server is "shell", the GetInteractiveShell method of the shell package, which is a user-defined package, is called.
- Changes the input and output of the cmd process to the network input and output of the currently connected C2, and then executes cmd.
- This allows an attacker to execute cmd commands remotely.
2-2 Upload Command
- If the command received from the C2 server is "upload", the UploadFile method of the shell package, which is a user-defined package, is called.
- When the UploadFile method is called, the victim server creates a file in the path specified by the attacker and uses the data received over the network.
- The attacker uses the command to upload a file to a specific path on the victim server.
2-3 Download Command
- If the command received from the C2 server is "download", the DownloadFile method of the shell package, which is a user-defined package, is called.
- When the DownloadFile method is called, the victim server reads the file specified by the attacker from the victim server and sends it to the C2 server.
- This allows the attacker to download a specific file from the victim server.
2-4 Socks Command
- If the command received from the C2 server is "socks", the RunSocks5Proxy method of the shell package, a user-defined package, is called.
- When the RunSocks5Proxy method is called, it sets up a proxy server based on the credentials (username:password) received from the C2 server.
- The attacker can then use the proxy function on the victim PC.
3. Countermeasures
Backdoor malware requires the process of planting the malware, which requires preliminary actions such as uploading files,
This vulnerability is difficult to pattern because it is difficult to detect binary malware as a pattern.
We are continuously monitoring for cases similar to the BlueShell vulnerability.
4. Conclusion
BlueShell is a backdoor malware that can receive commands from an attacker on an infected system and perform functions such as executing commands, downloading/uploading files, and proxying Socks5.
As it is developed in the Go language, not only Windows but also Linux environments can be targeted. It is also open-sourced on GitHub and is being used by various attackers for attacks.
To prevent such security threats, you should scan your environment for vulnerable configurations and always update related systems to the latest version to protect them from attacks. You should also take care to update your firewall/security program to the latest version to prevent malware infection in advance.