Stealthy Linux backdoor leveraging residential proxies and NHAS reverse SSH

A recently discovered Linux backdoor (SHA256: ea41b2bf1064efcb6196bb79b40c5158fc339a36a3d3ddee68c822d797895b4e) employs advanced evasion techniques to bypass detection while establishing persistent access via SOCKS5 proxies and in-memory payload execution. This analysis breaks down its operational workflow, infrastructure dependencies, and connections to ancillary tools like the NHAS reverse SSH client.

Infection chain and evasion mechanisms

The malware uses a multi-stage process to avoid detection:

Process Name Spoofing:

• Forks itself using kworker/0:0 as the process name to mimic a kernel worker thread.

if (fork() == 0) {  
    prctl(PR_SET_NAME, "kworker/0:0");  
    setenv("_PROXY_SERVICE_CHILD", "1", 1);  
    execl("/proc/self/exe", "kworker/0:0", NULL);  
}

This complicates process-tree-based detection strategies.

Dynamic Local Proxy Setup:

• Generates a random port (stored in BUILD_VER env) to bind a local SOCKS5 proxy.
• Establishes a tunnel to an external proxy (43.159.18[.]135:2333) using credentials tied to ipidea[.]net, a Chinese residential proxy service.

Payload Execution:

• Receives encrypted payloads via the proxy and executes them in memory using execveat, avoiding disk writes:

memfd = memfd_create("", 1); write(memfd, payload, payload_size); lseek(memfd, 0, SEEK_SET); execveat(0, "", (char *[]){NULL}, (char *[]){NULL}, AT_EMPTY_PATH);

Infrastructure analysis

• Proxy Layer:
  The attacker uses ipidea[.]net residential proxies (username: ipideatj10011_2952-zone-custom-region-HK-session-<RANDOM>-sessTime-60, password: ipideatj10011_2952Aa1024) to mask traffic to the C2 server 119.42.148[.]187:2443. This infrastructure is hosted in Hong Kong (Tencent ASN AS132203).

NHAS Reverse SSH Component:
A complementary Golang-based reverse SSH client (28096799c02d198149a7de0e7d6001554fc0c0907a4cfff5fcfa29f8cd93a4c3) connects to the same C2, enabling SSH-based persistence. The tool mimics legitimate SSH traffic, making network-level detection challenging.

Defense considerations

1. Detection strategies:
   • Monitor for processes with inconsistent names (e.g., kworker/0:0 without parent kernel threads).
   • Flag memfd_create/execveat usage in non-containerized environments.
   • Inspect outbound connections to residential proxy services, especially ipidea[.]net.
2. MITRE ATT&CK mapping:
   • T1036.003: Masquerading (Process Spoofing)
   • T1095: Non-Application Layer Protocol (SOCKS5)
   • T1055.012: Process Injection via Memory File Descriptors

Indicators of Compromise (IOCs)

This campaign highlights attackers’ increasing reliance on legitimate infrastructure (e.g., residential proxies) and syscall-based in-memory execution to evade EDR solutions. Defenders must augment network telemetry with kernel-level process ancestry tracking to identify such threats.