A highly sophisticated cyber espionage campaign linked to the Chinese hacking group known as DaggerFly has recently come to light, targeting Linux systems through the utilization of an advanced Secure Shell (SSH) backdoor named ELF/Sshdinjector.A!tr.
This particular malware, which forms part of a larger attack framework, infiltrates Linux-based network appliances and Internet-of-Things (IoT) devices, allowing for the extraction of data and the establishment of prolonged persistence within compromised environments.
Uncovered in the middle of November 2024, the backdoor was utilized during the Lunar Peek campaign, a series of coordinated attacks aimed at network appliances.
In-depth analysis conducted by FortiGuard Labs uncovered that the attack employs a combination of malicious components, including a dropper, a malicious SSH library known as libsshd.so, and other files engineered to ensure continued infection and evade detection.
The infection process commences with a dropper binary, which verifies the root privileges of the host before implementing the infection. If the target system is found to be vulnerable, the dropper replaces critical system binaries like ls, netstat, and crond with malicious versions. Additionally, the SSH daemon is infected using the libsshd.so file, which acts as the primary payload. The core functionality of ELF/Sshdinjector.A!tr is embedded in libsshd.so, enabling communication with a remote command-and-control (C2) server located at a hardcoded IP address. This allows for a range of malicious activities, such as the exfiltration of system data like MAC addresses and configuration details, accessing sensitive system files like /etc/shadow, file manipulation, and executing commands on the compromised system. Furthermore, the malware ensures persistence through the automated restarting of SSH and Cron daemons.
According to the report published by FortiNet, the malware operates using a custom protocol for encrypted communication with the C2 server and incorporates unique identifiers to track compromised hosts.
Through advanced reverse engineering processes, supported by AI tools like r2ai, researchers were able to dissect the complex behavior of ELF/Sshdinjector.A!tr. While AI tools facilitated rapid disassembly and source-code generation, the collaboration between human analysts and AI was crucial due to challenges such as hallucinated functionalities and omitted details that required human oversight. This collaboration allowed for a comprehensive understanding of the malware’s functionality, emphasizing the potential of AI in threat analysis workflows despite its imperfections.
The usage of ELF/Sshdinjector.A!tr by DaggerFly highlights the escalating sophistication of attacks directed towards Linux platforms, particularly IoT and network appliances that often lack robust security measures. The campaign’s capability to extract data and operate stealthily underscores the urgent need for enhanced security protocols for Linux-based systems.
In conclusion, the identification of this cyber espionage campaign targeting Linux systems serves as a stark reminder of the evolving threat landscape and the critical importance of reinforcing security measures to safeguard against sophisticated cyberattacks.