In the repository aur (arch user repository) used in Arch Linux for spreading third -party packages, identified three malicious packages firefox-patch-bin , Libredolf-fix-bin and zen-browser-patched-bin , containing modified assurances of browsers Firefox, librewolf and zen . The names of packages resembled legitimate packages firefox-bin ,
The packages in the Buildpkg file have a link to patches loaded from external repositories to github ( zenbroowser-patch , youtube-Viewbot ). Patchi made a change to the assembly process, leading to the launch script in the Python language for the installation of Troyan Chaos .
Trojan allowed to obtain remote access to the system, send confidential files to the external server and perform commands in the system, for example, for cryptocurrency mining. Malicious executable file was located as /USR/Local/Share/Systemd -Initd and was launched using the Custom-initd.Service service copied to the Systemd directory. In the absence of ROOT rights, during the installation of the Trojan, the user was placed in the home catalog (~/.local/share/systemd-initd).
Malicious packages were deposited in the AUR repository on July 16 at about 11 pm (MSK). To promote malware after the publication of the packages, it was Determined spammering. For example, to stimulate the installation in the note to the assembly with the Zen browser, a solution to critical problems with stability and rendering was noted, as well as eliminating memory leaks.
The packages were deleted administrators of the repository on July 18 at 7 o’clock in the evening (MSK). Almost immediately, the repository users drew attention to four more malicious packages minecraft-cracked , ttf-ll-ms-fonts