A brand new malware pressure, ELF/Sshdinjector.A!tr, has been linked to the DaggerFly espionage group and used within the Lunar Peek marketing campaign to focus on Linux-based community home equipment. Its main operate is information exfiltration.
How the Malware Works
Uncovered by cybersecurity researchers at FortiGuard Labs, the malware operates utilizing a number of binaries that work collectively to contaminate a system:
- Dropper: Checks if the system is already contaminated; if not, it deploys malicious binaries
- libsshd.so: A modified SSH library that communicates with a distant command-and-control (C2) server
- Different contaminated binaries: Guarantee continued entry to the contaminated system
Extra particularly, the dropper verifies if it has root privileges earlier than continuing. It then searches for a selected file named /bin/lsxxxssswwdd11vv containing the phrase “WATERDROP” to find out if the system is already compromised. If not, the malware overwrites official system binaries comparable to ls, netstat and crond with contaminated variations.
Learn extra on Linux malware threats and cybersecurity defenses: Helldown Ransomware Expands to Goal VMware and Linux Methods
Key Options of the Malware
FortiGuard Labs recognized the next as key options of the malware pressure:
- System an infection: Overwrites key system binaries to keep up persistence
- Distant management: Makes use of a modified SSH library to speak with attackers
- Knowledge exfiltration: Extracts delicate system info comparable to MAC addresses and consumer credentials
- Command execution: Executes arbitrary instructions despatched by the attacker
- Customized protocol: Makes use of an encrypted protocol for safe communication with C2 servers
- Root privilege verification: Ensures administrative entry earlier than executing payloads
AI-Assisted Reverse Engineering
In analyzing the malware, FortiGuard researchers utilized AI-powered instruments like Radare2’s r2ai extension for reverse engineering.
Whereas AI accelerated the decompilation course of and simplified code summaries, it additionally revealed limitations, comparable to producing non-existent instructions or omitting particulars. In consequence, FortiGuard stated human analysts have been essential in verifying findings, correcting inaccuracies and guiding the investigation.
To mitigate dangers, safety professionals managing Linux methods are suggested to use updates, monitor community exercise for uncommon habits and make use of superior endpoint safety.
