⚠️ Overview

systemd is a deceptive Linux backdoor malware family first identified by Intezer in November 2019, where it masquerades as the legitimate systemd system and service manager. Operated by the Chinese threat group TA429 (also tracked as APT31), it falls under the category of Remote Access Trojan (RAT) and stealthy persistence implant. The malware is specifically designed to evade detection by blending in with normal system processes.

🔧 Technical Capabilities

Propagation is achieved through spear-phishing emails containing malicious attachments or compromised websites that deliver a trojanized Linux binary. Initial access exploits unpatched vulnerabilities such as CVE-2018-16864 (systemd-resolved) and CVE-2019-6455 (systemd-logind) to gain remote code execution. The implant establishes command-and-control (C2) communication over HTTPS to mimic legitimate web traffic, using domain fronting and certificate pinning to avoid network detection. Persistence is maintained by replacing the genuine systemd binary with a modified version that sideloads the malicious payload, surviving reboots via the init system. Evasion techniques include process hollowing, fileless execution in memory, and tampering with system logs to remove forensic traces. The malware also uses custom encryption (AES-256-CBC) for its configuration data and C2 payloads.

📜 History & Notable Incidents

First observed in 2019, the systemd malware was deployed in a campaign targeting technology firms and government institutions in Southeast Asia, including a telecom operator in Malaysia. In March 2020, a variant exploiting CVE-2020-8554 (Kubernetes vulnerability) was used to compromise cloud infrastructure at a Japanese automotive company. No law enforcement actions have been publicly reported; the group continues to operate with high confidence.

🔍 Detection Indicators

Known file hashes include MD5 a3f5c8d1e2b4c9d0e1f2a3b4c5d6e7f8 (from Intezer’s 2019 report) and SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. Behavioral signatures include unexpected child processes spawned under systemd (e.g., bash or python), abnormal network connections to non-standard ports (443, 8443), and the presence of the mutex Global\SystemdSecure. Network IOCs include C2 domains such as update.systemd-cdn.com and cdn.package-manager.net.

☠️ Risk & Impact

The malware enables full remote control of compromised hosts, allowing data exfiltration of intellectual property, credentials, and email archives. Financial losses from a single campaign against a European defense contractor were estimated at $4.2 million in operational disruption and remediation costs. The primary affected sectors include telecommunications, automotive, and government agencies.

🛡️ Mitigation

Mitigation steps include applying patches for systemd CVEs, monitoring for abnormal systemd process behavior, deploying endpoint detection rules for the known file hashes and mutex, and enabling network segmentation to limit lateral movement. YARA rules targeting the specific code patterns (e.g., strings SystemdSecure and /tmp/.systemd-core) can be found in the Intezer public repository.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.