Quick Glance At Lazarus Group MATA APT On Linux (PART2) Using Ghidra
We begin start off by analyzing main() in the decompiler view where we see the LIBC function int daemon(int nochdir, int noclose).
This function carries out daemonization of a process as its name suggests. A Ghidra Function ID signature was not matched for this particular function but it was fairly simple to recognize the routine as daemonization because for POSIX its performed as a series syscalls. If you are familiar with the programmatic steps to daemonize in a POSIX environment it’s easy to recognize.