A recent discovery by cybersecurity experts at FortiGuard Labs has unveiled a new malware strain known as ELF/Sshdinjector.A!tr, which has been linked to the DaggerFly espionage group. This malicious software has been utilized in the Lunar Peek campaign to target Linux-based network appliances, with its primary function being data exfiltration.
The intricate workings of this malware involve multiple binaries working together to infect a system. The initial step involves a dropper that checks for existing infections on the system; if none are found, it proceeds to deploy malicious binaries. One of these binaries, libsshd.so, is a modified SSH library that communicates with a remote command-and-control server. Additionally, other infected binaries are utilized to ensure continued access to the compromised system.
Specifically, the dropper first verifies if it has root privileges before proceeding further. It then searches for a distinct file named /bin/lsxxxssswwdd11vv containing the keyword “WATERDROP” to ascertain if the system has already been compromised. If not, the malware proceeds to overwrite legitimate system binaries like ls, netstat, and crond with infected versions.
Key features of this malware strain identified by FortiGuard Labs include system infection through the overwriting of critical system binaries for persistence, remote control capabilities using a modified SSH library to communicate with malicious actors, data exfiltration of sensitive system information such as MAC addresses and user credentials, execution of arbitrary commands sent by attackers, use of a custom encrypted protocol for secure communication with command-and-control servers, and verification of root privileges for administrative access before executing payloads.
To aid in the analysis of this complex malware, FortiGuard researchers have utilized AI-powered tools like Radare2’s r2ai extension for reverse engineering. While artificial intelligence has accelerated the decompilation process and simplified code summaries, it has also presented limitations such as generating non-existent commands or omitting details. Therefore, human analysts play a crucial role in verifying findings, correcting inaccuracies, and guiding the investigation.
In light of these emerging threats, security professionals managing Linux systems are advised to stay vigilant by applying updates, monitoring network activity for any irregular behavior, and implementing advanced endpoint protection measures. By remaining proactive and informed about the latest cyber threats, organizations can strengthen their defense against sophisticated malware attacks like ELF/Sshdinjector.A!tr.