This analysis explores the detection of malicious .desktop files used by threat actors to infect Linux systems. It explains the structure of these files and how they are manipulated to obfuscate malicious content. The report details the execution process of these files, which often involve opening PDF files from Google Drive as a distraction while downloading malware. Various threat hunting techniques are presented, including searching for specific processes, command lines, and file contents. The article provides several Google Threat Intelligence queries for identifying suspicious .desktop files and related malicious activities. It also includes a list of recently discovered samples potentially linked to a campaign reported by Zscaler. Author: AlienVault
Related Tags:
google threat intelligence
kde
desktop files
xfce
threat hunting
T1566.001
British Indian Ocean Territory
T1059.004
Obfuscation
Associated Indicators:
EF2056A6724AD654E3C36234863AB34B9E0E6FA3E6F31340682C37DC2C5CB32E
B6170FD0A1A75E043CD412300DB4C67A351F71A6
EB35BE47387605BA194E5422C5F1E99E6968AF65
E099572FE108BFBA526730DCF87D953C74DCBA0D
8D61CE3651EB070C8CDB76A334A16E53AD865572
040711B2E577FCDBA8DC130F72475935893E8471
1814730CB451B930573C6A52F047301BFF0B84D1
5C71C683FF55530C73477E0FF47A1899
70A0792640BBCAE03627DE25DE3EE42F