Malware has been discovered in at least three Arch Linux packages available on AUR (Arch User Repository), the official Arch Linux repository of user-submitted packages. The malicious code was immediately removed when the AUR team intervened. The incident occurred because the AUR team allow users to contribute to repositories that have been abandoned by their original authors.
The repository has user-submitted packages, and that is how the malware was released in the repository. A user named “xeactor” took over an ‘orphaned’ package on Saturday going by the name of “acroread” which functions as a PDF viewer and added a malicious code.
As per Git commit, “Xeactor” added a code that would download a script named “~x” from ptpb.pw a lightweight package that allows users to share tiny pieces of text files, which in turn would execute another file named “~u”. The software meddles with “systemd” and reconfigure it. This script would run every 360 seconds.
The purpose of the second file (~u) was to collect data about each infected system including date, time, machine’s ID, package manager details, CPU information and outputs of “uname-a” and “systemctl list-units” commands and post these details inside a new Pastebin file, using the attacker’s custom Pastebin API key.
The AUR team have also said they have found similar code in other packages:
▬ acroread 9.5.5-8
▬ balz 1.20-3
▬ minergate 8.1-2
The malicious code changes were reversed and xeactor’s accounts were suspended. The AUR packages are user-submitted packages to the Arch Linux Repo. There are a lot of cases this year where most of the code of the operating system has been affected by some sort of malware.
No other malicious actions were observed, meaning the acroread package wasn’t harming users’ systems, but merely collecting data in preparation for… something else.
Even though it does not pose any serious threat to the infected computers, it is anticipated that “xeactor” could launch another malware as any self-update mechanism was not included.