A new strain of malware, ELF/Sshdinjector.A!tr, has been attributed to the DaggerFly espionage group in their Lunar Peek campaign, targeting Linux-based network appliances with a focus on data exfiltration.
Discovered by cybersecurity researchers at FortiGuard Labs, this malware operates using multiple binaries that collaborate to infect a system. The dropper component of the malware first checks for existing infections on the system and deploys malicious binaries if none are found. The libsshd.so file, a modified SSH library, then communicates with a remote command-and-control server. Additionally, other infected binaries ensure ongoing access to the compromised system.
The dropper component will only proceed if it has root privileges and searches for a specific file containing the word “WATERDROP” to determine if the system has already been compromised. If not, the malware will replace legitimate system binaries like ls, netstat, and crond with infected versions.
Key features of this malware strain identified by FortiGuard Labs include system infection through the overwriting of essential binaries, remote control via a modified SSH library for communication with attackers, data exfiltration of sensitive information like MAC addresses and user credentials, execution of arbitrary commands sent by the attacker, use of a custom encrypted protocol for secure communication with command-and-control servers, and verification of root privileges before executing payloads.
In the analysis of this malware, FortiGuard researchers utilized AI-assisted tools like Radare2’s r2ai extension for reverse engineering. While AI technology accelerated the decompilation process and streamlined code summaries, it also presented limitations such as generating non-existent commands and omitting important details. Human analysts were deemed essential in verifying findings, rectifying inaccuracies, and guiding the investigation process.
To mitigate the risks associated with this type of malware, security professionals managing Linux systems are advised to regularly apply updates, monitor network activity for any unusual behavior, and employ advanced endpoint protection measures.
In conclusion, the emergence of the ELF/Sshdinjector.A!tr malware strain linked to the DaggerFly espionage group highlights the ongoing threat to Linux-based network appliances and the importance of robust cybersecurity measures to safeguard against data exfiltration and unauthorized access. It serves as a reminder of the ever-evolving landscape of cyber threats and the need for vigilance in defending against malicious actors.