Let's Talk
Let's Talk

Loading...

Blog Details

  • Home
  • /
  • Chinese Hackers Attacking Linux Devices With New SSH Backdoor

Chinese Hackers Attacking Linux Devices With New SSH Backdoor

essadmin

Threat Report

Executive Summary:
FortiGuard Labs has identified a sophisticated SSH backdoor, dubbed ELF/Sshdinjector.A!tr, being used by Chinese hackers attributed to the DaggerFly espionage group. This malware is part of the Lunar Peek campaign, which began in mid-November 2024 and primarily targets network appliances and IoT devices running Linux.

Key Findings

  1. Malware Overview
    • Name: ELF/Sshdinjector.A!tr
    • Attribution: DaggerFly espionage group
    • Campaign: Lunar Peek
    • Target Devices: Network appliances and IoT devices running Linux
  2. Attack Mechanism
    • The initial entry point is a dropper that verifies root privileges.
    • If the system isn’t already compromised, the dropper deploys malicious binaries, including a modified SSH library (libsshd.so) and infected versions of common utilities like ls, netstat, and crond.
  3. Core Functionality
    • The libsshd.so library is the core of the backdoor, equipped to communicate with a remote command-and-control (C2) server.
    • Key functions include:
      • “haha” : Spawns additional threads from functions “heihei” and “xixi.”
      • “xixi” : Monitors the /root/intensify-mm-inject/ xxx directory and restarts SSH and Cron daemons if necessary.
      • “heihei” : Establishes a connection with the C2 server at IP address 45.125.64[.]200 on ports 33200 or 33223.
  4. Communication Protocol
    • The malware uses a custom communication protocol with the C2 server, embedding a hard-coded UUID (a273079c-3e0f-4847-a075-b4e1f9549e88) and an identifier (afa8dcd81a854144) in each packet.
    • The C2 server can issue a variety of commands, including:
      • Exfiltrating system information (uname, MAC address, etc.)
      • Listing running services
      • Reading user credentials from /etc/shadow
      • Executing arbitrary commands
  5. Indicators of Compromise (IOCs)
    • SHA256 Hashes:
      • 94e8b0a3c7d1f1a0e6b2d4a82b6b7a3f
      • d1b3e8b0a3c7d1f1a0e6b2d4a82b6b7a3f
    • C2 Server Addresses:
      • 45.125.64[.]200:33200
      • 45.125.64[.]200:33223
 

Recommendations

  • Update Antivirus Definitions: Ensure that all Linux-based network appliances and IoT devices have up-to-date antivirus definitions.
  • Monitor Network Traffic: Implement monitoring for unusual network traffic, particularly to the identified C2 server addresses.
  • Regular Audits: Conduct regular security audits to detect and mitigate potential threats.
  • Patch Management: Keep all systems and software updated with the latest security patches.
 

Conclusion

The ELF/Sshdinjector.A!tr malware poses a significant threat to Linux-based network appliances and IoT devices. By understanding the attack mechanism and implementing the recommended security measures, organizations can better protect their infrastructure from this sophisticated backdoor.

 

Leave a Reply

Looking for the Best Cyber Security?

Get A Quote
Get A Quote

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Linkedin Telegram X-twitter WordPress

Company

Quick Link

Contact Us

  • Address: Reithalleweg 3 Wohlen CH
  • Email: support@essgroup.tech
  • Phone:

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading