Active since 2020, the BlueShell backdoor malware is now targeting users in South Korea and Thailand. The exact attack vector can vary by operating system, but it seems to be mainly targeting vulnerable Linux systems. BlueShell is written in the Go open source language, which explains its cross-platform capabilities. Although this malware has been deleted from GitHub, where it was formerly available, it still can be found on other repositories.
Impact
This threat is of medium severity, targeting both Windows- and Linux-based hosts. In observed Linux attacks, the BlueShell dropper sets an environment variable named “lgdt.” Then the created BlueShell obtains the “lgdt” environment variable, decrypts it, and uses it as the command-and-control (C2) server address.
DXC perspective
To prevent this type of security threat, organizations should inspect vulnerable environment settings and protect related systems by updating to the latest versions. Other helpful actions include monitoring for abnormal user behavior, installing and regularly updating antivirus software on all hosts, and enabling real-time detection.