Threat Report

Executive Summary:
FortiGuard Labs has identified a sophisticated SSH backdoor, dubbed ELF/Sshdinjector.A!tr, being used by Chinese hackers attributed to the DaggerFly espionage group. This malware is part of the Lunar Peek campaign, which began in mid-November 2024 and primarily targets network appliances and IoT devices running Linux.

Key Findings

1. Malware Overview
   • Name: ELF/Sshdinjector.A!tr
   • Attribution: DaggerFly espionage group
   • Campaign: Lunar Peek
   • Target Devices: Network appliances and IoT devices running Linux
2. Attack Mechanism
   • The initial entry point is a dropper that verifies root privileges.
   • If the system isn’t already compromised, the dropper deploys malicious binaries, including a modified SSH library (libsshd.so) and infected versions of common utilities like ls, netstat, and crond.
3. Core Functionality
   • The libsshd.so library is the core of the backdoor, equipped to communicate with a remote command-and-control (C2) server.
   • Key functions include:
     • “haha” : Spawns additional threads from functions “heihei” and “xixi.”
     • “xixi” : Monitors the /root/intensify-mm-inject/ xxx directory and restarts SSH and Cron daemons if necessary.
     • “heihei” : Establishes a connection with the C2 server at IP address 45.125.64[.]200 on ports 33200 or 33223.
4. Communication Protocol
   • The malware uses a custom communication protocol with the C2 server, embedding a hard-coded UUID (a273079c-3e0f-4847-a075-b4e1f9549e88) and an identifier (afa8dcd81a854144) in each packet.
   • The C2 server can issue a variety of commands, including:
     • Exfiltrating system information (uname, MAC address, etc.)
     • Listing running services
     • Reading user credentials from /etc/shadow
     • Executing arbitrary commands
5. Indicators of Compromise (IOCs)
   • SHA256 Hashes:
     • 94e8b0a3c7d1f1a0e6b2d4a82b6b7a3f
     • d1b3e8b0a3c7d1f1a0e6b2d4a82b6b7a3f
   • C2 Server Addresses:
     • 45.125.64[.]200:33200
     • 45.125.64[.]200:33223

Recommendations

• Update Antivirus Definitions: Ensure that all Linux-based network appliances and IoT devices have up-to-date antivirus definitions.
• Monitor Network Traffic: Implement monitoring for unusual network traffic, particularly to the identified C2 server addresses.
• Regular Audits: Conduct regular security audits to detect and mitigate potential threats.
• Patch Management: Keep all systems and software updated with the latest security patches.

Conclusion

The ELF/Sshdinjector.A!tr malware poses a significant threat to Linux-based network appliances and IoT devices. By understanding the attack mechanism and implementing the recommended security measures, organizations can better protect their infrastructure from this sophisticated backdoor.