Arch Linux has pulled three malicious packages uploaded to the Arch User Repository (AUR) were used to install the CHAOS remote access trojan (RAT) on Linux devices.
The packages were named "librewolf-fix-bin", "firefox-patch-bin", and "zen-browser-patched-bin," and were uploaded by the same user, "danikpapas," on July 16.
The packages were removed two days later by the Arch Linux team after being flagged as malicious by the community.
"On the 16th of July, at around 8pm UTC+2, a malicious AUR package was uploaded to the AUR," warned the AUR maintainers.
"Two other malicious packages were uploaded by the same user a few hours later. These packages were installing a script coming from the same GitHub repository that was identified as a Remote Access Trojan (RAT)."
One of the malicious AUR packages
Source: BleepingComputer
The AUR is a repository where Arch Linux users can publish package build scripts (PKGBUILDs) to automate the process of downloading, building, and installing software that is not included with the operating system.
However, like many other package repositories, the AUR has no format review process for new or updated packages, making it the user's responsibility to review the code and installation scripts before building and installing the package.
Although all the packages have now been removed, BleepingComputer found archived copies of all three, indicating that the threat actor began submitting the packages at 18:46 UTC on July 16.
Each package, "librewolf-fix-bin", "firefox-patch-bin", and "zen-browser-patched-bin," all contained a source entry in the PKGBUILD file called "patches" that pointed to a GitHub repository under the attacker's control: https://github.com/danikpapas/zenbrowser-patch.git.
When the BUILDPKG is processed, this repository is cloned and treated as part of the package's patching and building process. However, instead of being a legitimate patch, the GitHub repository contained malicious code that was executed during the build or installation phase.
This GitHub repository has since been removed, and the .git repository is no longer available for analysis.
However, a Reddit account began responding to various Arch Linux threads on the platform today, promoting these packages on the AUR. The comments were posted by an account that appears to have been dormant for years and likely compromised to spread the malicious packages.
Arch users on Reddit quickly found the comments suspicious, with one of them uploading one of the components to VirusTotal, which detects it as the Linux malware called CHAOS RAT.
CHAOS RAT is an open-source remote access trojan (RAT) for Windows and Linux that can be used to upload and download files, execute commands, and open a reverse shell. Ultimately, threat actors have full access to an infected device.
Once installed, the malware repeatedly connects back to a command and control (C2) server where it waits for commands to execute. In this campaign, the C2 server was located at 130.162[.]225[.]47:8080.
The malware is commonly used in cryptocurrency mining campaigns but can also be used for harvesting credentials, stealing data, or conducting cyber espionage.
Due to the severity of the malware, anyone who has mistakenly installed these packages should immediately check for the presence of a suspicious "systemd-initd" executable running on their computer, which may be located in the /tmp folder. If found, it should be deleted.
The Arch Linux team removed all three packages by July 18th at around 6 PM UTC+2.
"We strongly encourage users that may have installed one of these packages to remove them from their system and to take the necessary measures in order to ensure they were not compromised," warned the Arch Linux team.