The discovered threat is a malicious Bash script that installs a GSocket backdoor on victim machines running UNIX-like operating systems, including Linux, macOS, FreeBSD, and OpenBSD. GSocket is a networking tool designed for peer-to-peer communication using a shared secret and a global relay network, allowing connections without exposing IP addresses or open ports. The backdoor leverages gs-netcat, a GSocket-based utility, to provide remote shell access, file transfer, and tunneling capabilities, effectively bypassing traditional network security controls such as firewalls and intrusion detection systems. The script implements persistence by creating a cron job that kills and restarts the disguised gs-netcat process every hour and by injecting code into the victim’s shell profile (.profile) to ensure execution on login. The malware copies itself into the victim’s .ssh directory under the name 'putty' and stores the GSocket shared secret in a file masquerading as an SSH key, enhancing stealth. A notable anti-forensic technique involves wrapping file operations (e.g., creating, deleting, moving files) in helper functions that track and restore original file timestamps, thereby hiding filesystem modifications from forensic analysis. The script is not obfuscated and contains comments, indicating it might have been uploaded publicly for testing or demonstration. Detection is limited, with only 17 antivirus engines on VirusTotal flagging the sample. The infection vector and initial delivery method remain unknown, complicating prevention efforts. Due to its reliance on Bash scripting and standard UNIX utilities, the malware is highly portable across UNIX-like platforms. This threat represents a sophisticated, stealthy backdoor capable of persistent remote access and evasion of conventional security measures.

This backdoor enables attackers to gain persistent, stealthy remote access to compromised UNIX-like systems, potentially allowing full control over affected hosts. The use of GSocket’s relay infrastructure bypasses traditional network defenses, making detection and blocking difficult. Attackers can execute arbitrary commands, transfer files, and tunnel traffic, facilitating lateral movement, data exfiltration, and further compromise within organizational networks. The anti-forensic timestamp restoration complicates incident response and forensic investigations, increasing the difficulty of detecting and attributing the intrusion. Organizations relying on UNIX-based servers, workstations, or infrastructure components are at risk, especially if they lack robust endpoint monitoring or network anomaly detection tuned for such covert channels. The unknown infection vector and limited antivirus detection increase the likelihood of undetected spread. The medium severity reflects the significant impact on confidentiality and integrity, combined with moderate ease of exploitation due to the unknown delivery method.

Organizations should implement targeted detection for GSocket-related network traffic, including monitoring outbound connections to known GSocket relay IPs and unusual peer-to-peer communication patterns. Endpoint detection and response (EDR) solutions should be configured to identify the presence of gs-netcat binaries, especially those located in unusual directories like .ssh/putty, and monitor for suspicious cron jobs or modifications to user shell profiles. File integrity monitoring should be enhanced to detect timestamp anomalies and unexpected file creations or modifications, leveraging the knowledge of the malware’s timestamp restoration techniques. Restrict execution of unauthorized Bash scripts and enforce strict application whitelisting policies. Network segmentation and egress filtering can limit outbound connections to unapproved destinations, reducing the effectiveness of the relay infrastructure. Regularly audit user cron jobs and shell profiles for unauthorized changes. Since the infection vector is unknown, user education on phishing and safe script execution practices remains important. Incident response teams should prepare to analyze timestamp manipulation techniques and consider behavioral indicators beyond signature-based detection. Finally, collaborate with threat intelligence sources to update detection rules as more information becomes available.