Showboat is a modular post-exploitation framework for Linux systems used in a campaign targeting a telecommunications provider in the Middle East since at least mid-2022. The malware can spawn a remote shell, transfer files, and operate as a SOCKS5 proxy. It contacts command-and-control servers, gathers system information, and sends the information back encoded as an encrypted Base64 string embedded in a PNG field. It supports uploading and downloading files, concealing itself from the process list, and managing command-and-control servers. It retrieves a code snippet from Pastebin to hide on the host. It can scan for other devices and connect through the SOCKS5 proxy, indicating use for establishing and expanding access.
""Showboat is a modular post-exploitation framework designed for Linux systems, capable of spawning a remote shell, transferring files, and functioning as a SOCKS5 proxy," Lumen Technologies Black Lotus Labs said in a report shared with The Hacker News."
""It's assessed that the malware has been employed by at least one, and possibly more, threat activity clusters affiliated with China, with correlations identified between command-and-control (C2) nodes and IP addresses geolocated to Chengdu, the capital city of the Chinese province of Sichuan.""
""The malware is designed to contact a C2 server, gather system information, and transmit the information back to the server in a PNG field as an encrypted and Base64-encoded string. It's also equipped to upload and download files to and from the host machine, conceal its presence from the process list, and manage C2 servers.""
""To hide itself on the host machine, Showboat retrieves a code snippet hosted on Pastebin. The paste was created on January 11, 2022. Furthermore, the malware can scan for other devices and connect to them via the SOCKS5 proxy. This suggests that the primary purpose of Showboat is to establish a foothold on compr""
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]