Analysis of bash-stage obfuscation used to hide the liblzma/xz backdoor
Analysis of bash-stage obfuscation used to hide the liblzma/xz backdoor
gynvael.coldwind.pl /
payload appears to have been hidden in test data then decrypted and injected during the build process.
2
comments
Okay - so it was cleverly hidden. Real question is what the binary blob does, so we can properly assess the damage...
Preliminary stuff I read yesterday suggests that it’s RCE triggered by a signal sent to SSHD. Safest bet is to nuke your system if you had the exploitable library running with an exposed sshd.