Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting
The persistence is ensured by copying a script similarly named as the current filename to the /usr/lib/systemd/system/ directory, and creating a symlink to this file in the /etc/ystem/system/multi-user.target.wants/ directory. Thus, this method only works if the current process has root privileges. The content of the script is: [Unit]Description=xxx[Service]Type=forkingExecStart=<path to current file> -xExecStop=/usr/bin/id[Install]WantedBy=multi-user.target After running the code dependent on the parameters, if the operator has not chosen a GUID with the “-f” parameter, the malware generates…
Read More