Let's Talk
Let's Talk

Loading...

Blog Details

  • Home
  • /
  • Chinese Hackers Attacking Linux Devices With New SSH Backdoor

Chinese Hackers Attacking Linux Devices With New SSH Backdoor

essadmin

Threat Report

Executive Summary:
FortiGuard Labs has identified a sophisticated SSH backdoor, dubbed ELF/Sshdinjector.A!tr, being used by Chinese hackers attributed to the DaggerFly espionage group. This malware is part of the Lunar Peek campaign, which began in mid-November 2024 and primarily targets network appliances and IoT devices running Linux.

Key Findings

  1. Malware Overview
    • Name: ELF/Sshdinjector.A!tr
    • Attribution: DaggerFly espionage group
    • Campaign: Lunar Peek
    • Target Devices: Network appliances and IoT devices running Linux
  2. Attack Mechanism
    • The initial entry point is a dropper that verifies root privileges.
    • If the system isn’t already compromised, the dropper deploys malicious binaries, including a modified SSH library (libsshd.so) and infected versions of common utilities like ls, netstat, and crond.
  3. Core Functionality
    • The libsshd.so library is the core of the backdoor, equipped to communicate with a remote command-and-control (C2) server.
    • Key functions include:
      • “haha” : Spawns additional threads from functions “heihei” and “xixi.”
      • “xixi” : Monitors the /root/intensify-mm-inject/ xxx directory and restarts SSH and Cron daemons if necessary.
      • “heihei” : Establishes a connection with the C2 server at IP address 45.125.64[.]200 on ports 33200 or 33223.
  4. Communication Protocol
    • The malware uses a custom communication protocol with the C2 server, embedding a hard-coded UUID (a273079c-3e0f-4847-a075-b4e1f9549e88) and an identifier (afa8dcd81a854144) in each packet.
    • The C2 server can issue a variety of commands, including:
      • Exfiltrating system information (uname, MAC address, etc.)
      • Listing running services
      • Reading user credentials from /etc/shadow
      • Executing arbitrary commands
  5. Indicators of Compromise (IOCs)
    • SHA256 Hashes:
      • 94e8b0a3c7d1f1a0e6b2d4a82b6b7a3f
      • d1b3e8b0a3c7d1f1a0e6b2d4a82b6b7a3f
    • C2 Server Addresses:
      • 45.125.64[.]200:33200
      • 45.125.64[.]200:33223
 

Recommendations

  • Update Antivirus Definitions: Ensure that all Linux-based network appliances and IoT devices have up-to-date antivirus definitions.
  • Monitor Network Traffic: Implement monitoring for unusual network traffic, particularly to the identified C2 server addresses.
  • Regular Audits: Conduct regular security audits to detect and mitigate potential threats.
  • Patch Management: Keep all systems and software updated with the latest security patches.
 

Conclusion

The ELF/Sshdinjector.A!tr malware poses a significant threat to Linux-based network appliances and IoT devices. By understanding the attack mechanism and implementing the recommended security measures, organizations can better protect their infrastructure from this sophisticated backdoor.

 

Discover more from ESSGroup

Subscribe to get the latest posts sent to your email.

Leave a Reply

Looking for the Best Cyber Security?

Get A Quote
Get A Quote

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Linkedin Telegram X-twitter WordPress

Company

Quick Link

Contact Us

  • Address: Reithalleweg 3 Wohlen CH
  • Email: support@essgroup.tech
  • Phone:

Copyright © 2025 ESSGroup