The functioning of ELF/Sshdinjector.A!tr revolves around the injection of malware into the secure shell daemon (sshd) program. This malware collection enables cyber attackers to carry out a variety of malicious activities while remaining undetected by users. The specific method of initial breach by which these devices are compromised has not been disclosed by Fortinet.
The attack involves the utilization of multiple binary files that contain destructive code. A preliminary “dropper” component is responsible for determining whether the target device has already been compromised. It does so by searching for a particular file named /bin/lsxxxssswwdd11vv, which includes the keyword “WATERDROP”, and verifying if the device has root access, which grants the highest level of permissions.
In the event that the device is not yet infected, the malware proceeds to drop various harmful binaries, including an SSH library. This library is designed to establish communication with a remote bot master or command and control (C2) server. The C2 server then issues commands to the malware, directing it to collect information, monitor processes, steal credentials, and execute remote commands as instructed.
The presence of ELF/Sshdinjector.A!tr poses a significant threat to the security of devices running the secure shell daemon. By infiltrating the sshd program, attackers can conduct malicious activities without detection, potentially leading to severe consequences for targeted individuals or organizations. It is essential for users to implement robust security measures and stay vigilant against such malware attacks.