- I switched to a $129 Android phone for a week, and it was surprisingly capable
- This window-cleaning robot is surprisingly impressive and $100 off for a limited time
- Try Apple's new Invites app for planning your next event - here's how it works
- The best Alexa smart speaker I've tested isn't an Echo (and it's 20% off)
- ChatGPT in WhatsApp just got an update that'll make you actually want to text it
DaggerFly-Linked Linux Malware Targets Network Appliances
A new malware strain, ELF/Sshdinjector.A!tr, has been linked to the DaggerFly espionage group and used in the Lunar Peek campaign to target Linux-based network appliances. Its primary function is data exfiltration.
How the Malware Works
Uncovered by cybersecurity researchers at FortiGuard Labs, the malware operates using multiple binaries that work together to infect a system:
- Dropper: Checks if the system is already infected; if not, it deploys malicious binaries
- libsshd.so: A modified SSH library that communicates with a remote command-and-control (C2) server
- Other infected binaries: Ensure continued access to the infected system
More specifically, the dropper verifies if it has root privileges before proceeding. It then searches for a specific file named /bin/lsxxxssswwdd11vv containing the word “WATERDROP” to determine if the system is already compromised. If not, the malware overwrites legitimate system binaries such as ls, netstat and crond with infected versions.
Key Features of the Malware
FortiGuard Labs identified the following as key features of the malware strain:
- System infection: Overwrites key system binaries to maintain persistence
- Remote control: Uses a modified SSH library to communicate with attackers
- Data exfiltration: Extracts sensitive system information such as MAC addresses and user credentials
- Command execution: Executes arbitrary commands sent by the attacker
- Custom protocol: Uses an encrypted protocol for secure communication with C2 servers
- Root privilege verification: Ensures administrative access before executing payloads
AI-Assisted Reverse Engineering
In analyzing the malware, FortiGuard researchers utilized AI-powered tools like Radare2’s r2ai extension for reverse engineering.
While AI accelerated the decompilation process and simplified code summaries, it also revealed limitations, such as generating non-existent commands or omitting details. As a result, FortiGuard said human analysts were crucial in verifying findings, correcting inaccuracies and guiding the investigation.
To mitigate risks, security professionals managing Linux systems are advised to apply updates, monitor network activity for unusual behavior and employ advanced endpoint protection.
