“Test files” associated with the XZ Utils backdoor have made their way into a Rust chest known as liblzma-sys, new findings from Phylum reveal.
liblzma-sys, which has been downloaded more than 21,000 times to date, provides Rust developers with links to the liblzma implementation, an underlying library that is part of the XZ Utils data compression software. The affected version in question is 0.3.2.
“The current distribution (v0.3.2) on Crates.io contains the test files for XZ that contain the backdoor,” Phylum noted in a GitHub issue raised on April 9, 2024.
“The test files themselves are not included in either the .tar.gz or .zip tags here on GitHub and are only present in liblzma-sys_0.3.2.crate installed from Crates.io.”
Following responsible disclosure, the files in question (“tests/files/bad-3-corrupt_lzma2.xz” and “tests/files/good-large_compressed.lzma”) have been removed from version 0.3.3 of liblzma-sys released on April 10. The older version of the crate was pulled from the registry.
“The malicious test files were committed upstream, but due to the lack of malicious build instructions in the upstream repository, they were never invoked or executed,” Snyk said in his own advisory.
The backdoor in popular package is integrated into many Linux distributions.
The code commits, made by a now-suspended GitHub user named JiaT75 (aka Jia Tan), essentially allowed one to bypass authentication controls within SSH to execute code remotely, potentially allowing operators to take control of the system.
“The overall compromise lasted more than two years,” SentinelOne researchers Sarthak Misraa and Antonio Pirozzi said in an analysis published this week. “Under the pseudonym Jia Tan, the actor began contributing to the xz project on October 29, 2021.”
“Initially, the commitments were innocuous and minor. However, the actor gradually became a more active contributor to the project, steadily gaining reputation and trust within the community.”
According to the Russian cybersecurity company Kaspersky, the Trojanized changes take the form of a multi-stage operation.
“The source code of the build infrastructure that generated the final packages was slightly modified (introducing an additional build-to-host.m4 file) to extract the next stage script that was hidden in a test case file (bad -3-corrupt_lzma2 .xz),” he said.
“These scripts in turn extracted a malicious binary component from another test case file (good-large_compressed.lzma) which was linked into the legitimate library during the build process for shipping to the Linux repositories.”
The payload, a shell script, is responsible for extracting and executing the backdoor, which, in turn, hooks into specific functions – RSA_public_decrypt, EVP_PKEY_set1_RSA and RSA_get0_key – that will allow it to monitor every SSH connection to the infected machine.
The main goal of the backdoor inserted into liblzma is to manipulate Secure Shell Daemon (sshd) and monitor commands sent by an attacker at the start of an SSH session, effectively introducing a way to achieve remote code execution.
While the early discovery of the backdoor averted what could have been a widespread compromise of the Linux ecosystem, the development is once again a sign that maintainers of open source packages are being targeted by social engineering campaigns with the goal of organize attacks on the software supply chain.
In this case, it materialized in the form of a coordinated activity that allegedly involved several sockpuppet accounts orchestrating a pressure campaign aimed at forcing the project’s longtime maintainer to bring in a co-maintainer to add more features and fix bugs. problems.
“The flurry of open source code contributions and associated pressure campaigns from previously unknown developer accounts suggest that a coordinated social engineering campaign using fake developer accounts was used to introduce malicious code into a widely used open source project “ReversingLabs said.
SentinelOne researchers revealed that subtle code changes made by JiaT75 between versions 5.6.0 and 5.6.1 suggest that the changes were designed to improve the modularity of the backdoor and install more malware.
As of April 9, 2024, the source code repository associated with XZ Utils has been restored to GitHub, nearly two weeks after it was disabled for a violation of the company’s terms of service.
The attribution of the operation and its intended objectives are currently unknown, although, in light of the planning and sophistication behind it, the perpetrator of the threat is suspected to be a state-sponsored entity.
“It is evident that this backdoor is very complex and uses sophisticated methods to evade detection,” Kaspersky said.