ShadowHS: A Fileless Linux Post‑Exploitation Framework Built on a Weaponized Hackshell

Summary

ShadowHS is a fileless Linux post-exploitation framework that runs a weaponized hackshell fully in memory. A small loader decrypts an AES-256-CBC payload, rebuilds it through anonymous file descriptors, and executes it without touching disk. Once running, it offers an interactive shell plus modules for credential theft, lateral movement, cryptomining, and quiet exfiltration. The design prioritizes stealth, operator control, and durable persistence across diverse Linux estates.

Investigation

Cyble analysts broke down the staged loader, recovered an encrypted shell script, mapped a Perl-based decryption chain, and confirmed execution through /proc/*/fd/ paths. They documented broad EDR/AV checks, anti-competition logic, and on-demand modules for SSH brute forcing, kernel exploitation, and GPU mining, with repeatable results in testing. The report also lists hard-coded C2 endpoints and an rsync-over-GSocket exfiltration method.

Mitigation

Watch for ELF execution from /proc//fd/, odd OpenSSL/Perl decrypt chains, and argv spoofing artifacts. Gain visibility into deleted or memfd-backed binaries, memory-dump tooling, and nonstandard rsync transports. Block known mining pools and restrict GSocket tunnels to curb abuse. Alert on suspicious memfd_create usage at scale.

Response

If detected, isolate the host, capture memory for investigation, terminate the in-memory framework and any mining wrappers, and block the referenced C2 IPs/domains. Inventory exposed credentials, rotate keys and passwords, and harden the system. Track lateral-movement attempts and scanning activity, including rustscan and spirit usage, to scope spread and prevent reinfection.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

• Attack Narrative & Commands:
  An attacker who has already gained a foothold on the compromised Linux host wishes to (1) decrypt a previously exfiltrated data blob using OpenSSL without a salt to avoid the extra entropy check, and (2) enumerate all running executables via /proc/*/exe to discover privileged processes that may contain credentials or to identify security tools for later disabling. The attacker runs the following commands in a Bash session:

  1. OpenSSL Decryption (AES‑256‑CBC, no‑salt) – reproduces the exact string the Sigma rule watches:

     openssl enc -d -aes-256-cbc -nosalt -in /tmp/stolen.enc -out /tmp/secret.txt

  2. Proc‑exe Enumeration – loops over all numeric PID directories, printing the target of the exe symlink:

     for pid in /proc/[0-9]*; do
         readlink "$pid/exe"
     done

  These actions generate two distinct process‑creation events that satisfy the rule’s aes and proc_enum conditions.

• Regression Test Script:

  #!/usr/bin/env bash
  set -euo pipefail
  
  # ==== 1. OpenSSL decryption (AES-256-CBC, no‑salt) ====
  # Create a dummy encrypted file for the test
  echo "SensitiveData123" > /tmp/plain.txt
  openssl enc -aes-256-cbc -nosalt -salt -out /tmp/stolen.enc -pass pass:TestPass < /tmp/plain.txt
  
  # Decrypt using the exact detection pattern
  openssl enc -d -aes-256-cbc -nosalt -in /tmp/stolen.enc -out /tmp/secret.txt -pass pass:TestPass
  
  # ==== 2. Enumerate /proc/*/exe symlinks ====
  for pid in /proc/[0-9]*; do
      readlink "$pid/exe"
  done
  
  echo "Simulation complete. Check SIEM for alerts."

• Cleanup Commands:

  #!/usr/bin/env bash
  set -euo pipefail
  
  rm -f /tmp/plain.txt /tmp/stolen.enc /tmp/secret.txt
  echo "Cleanup finished."