New findings from Phylum show that “test files” related to the XZ Utils backdoor have found their way into a Rust crate called liblzma-sys.
liblzma-sys, which has been downloaded more than 21,000 times to date, provides Rust developers with bindings for the liblzma implementation, a low-level library that is part of the XZ Utils data compression software. The affected version is 0.3.2.
“The current release (v0.3.2) on Crates.io contains XZ test files containing a backdoor,” Phylum noted in a GitHub issue posted on April 9, 2024.
“The test archive itself is not included in the .tar.gz and .zip tags on GitHub, only in the liblzma-sys_0.3.2.crate installed from Crates.io.”
After responsible disclosure, the relevant files (“tests/files/bad-3-corrupt_lzma2.xz” and “tests/files/good-large_compressed.lzma”) have been deleted from liblzma-sys version 0.3.3 released in April 10. The previous version of crate has been removed from the registry.
“The malicious test files were submitted upstream, but because the malicious build instructions did not exist in the upstream repository, they were never called or executed,” Snyk said in an advisory of its own.
The backdoor in XZ Utils was discovered in late March, when Microsoft engineer Andres Freund discovered malicious commits to the command-line utility affecting versions 5.6.0 and 5.6.1, released in February and March 2024, respectively. This popular software package has been integrated into many Linux distributions.
The code, submitted by now-suspended GitHub user JiaT75, also known as Jia Tan, essentially makes it possible to bypass authentication controls within SSH to remotely execute code, potentially allowing an operator to take over the system.
“The entire compromise lasted for more than two years,” SentinelOne researchers Sarthak Misraa and Antonio Pirozzi said in an analysis published this week. “The actor, who goes by the alias Jatan, started working as xz on October 29, 2021. project contributes.”
“Initially, these commitments were harmless and minor. However, the actors gradually became more active contributors to the project, steadily gaining reputation and trust in the community.”
According to Russian cybersecurity firm Kaspersky, the Trojan changes take the form of a multi-stage operation.
“The source code of the build infrastructure that produced the final package was slightly modified (by introducing the additional file build-to-host.m4) to extract the next hidden in the test case file (bad-3-corrupt_lzma2) stagescript.xz),” it said.
“These scripts in turn extracted the malicious binary component from another test case file (good-large_compressed.lzma), which was linked with legitimate libraries during compilation and then sent to the Linux repository.”
The payload is a shell script responsible for extracting and executing the backdoor, which in turn hooks into specific functions – RSA_public_decrypt, EVP_PKEY_set1_RSA and RSA_get0_key – which will allow it to monitor every SSH connection to the infected computer.
The main goal of the backdoor in liblzma is to manipulate the Secure Shell Daemon (sshd) and monitor the commands sent by the attacker at the beginning of an SSH session, effectively introducing a method to achieve remote code execution.
While the early discovery of the backdoor averted potentially widespread harm to the Linux ecosystem, this development is yet another sign that open source software package maintainers are being targeted by social engineering campaigns aimed at launching software supply chain attacks.
In this case, it materializes in the form of a coordinated campaign, which may feature several vest accounts orchestrating a pressure campaign designed to force the long-term maintainers of the project to hire co-maintainers to add more features and solve problems.
“A series of open source code contributions and related pressure activity from previously unknown developer accounts suggests that coordinated social engineering campaigns using fake developer accounts are being used to infiltrate malicious code into widely used open source projects,” ReversingLabs said.
SentinelOne researchers revealed that subtle code changes made by JiaT75 between versions 5.6.0 and 5.6.1 indicate that these modifications were designed to enhance the modularity of the backdoor and implant more malware.
As of April 9, 2024, the source code repository related to XZ Utils has been restored on GitHub, after being disabled for nearly two weeks for violating the company’s terms of service.
The attribution and intended targets of the operation are currently unclear, but given the planning and sophistication behind it, the threat actor is suspected to be a state-sponsored entity.
“It is clear that this backdoor is very sophisticated and uses sophisticated methods to evade detection,” Kaspersky said.
