Derusbi

Derusbi is a sophisticated malware family known for its ability to target both Linux and Windows systems. It has been predominantly associated with Chinese cyber espionage operations since 2008, making it a significant concern in the realm of cybersecurity. The malware primarily functions as a tool for gaining and maintaining remote access to targeted systems, enabling attackers to steal sensitive information, conduct reconnaissance, and perform other malicious activities. Its unique structure of network communication and distinctive techniques have made it stand out among other malware families. A notable feature of Derusbi is its use of the LD_PRELOAD technique to load a malicious shared object library that exports PAM APIs. This technique allows the malware to infiltrate system processes and execute harmful actions without being detected. Furthermore, Derusbi implements an interactive shell, which is believed to be inspired by the Linux variant of the malware. This shell provides the attacker with a command-line interface to the compromised system, further enhancing their control over the victim's machine. Recent analyses of new backdoor malware variants have revealed striking similarities to Derusbi, suggesting that these newer threats may have drawn inspiration from or had direct access to Derusbi's source code. In particular, the implementation of the SprySOCKS' interactive shell in the Earth Lusca malware and others appears to be based on the Linux variant of Derusbi. These findings underscore the enduring influence of Derusbi in the evolving landscape of cyber threats.