New trojan hijacks Linux and IoT devices – Source: www.csoonline.com

There’s a new trojan on the block, one that specifically targets network appliances and internet of things (IoT) devices running the open-source Linux operating system.

FortiGuard Labs has identified a new malware kit, dubbed “ELF/Sshdinjector.A!tr“, that has the ability to infect and remotely control systems, establish root privilege, maintain malware presence, exfiltrate data such as user credentials or Media Access Control (MAC) addresses, and execute commands from and securely communicate with remote masters.

The trojan has been used in attacks since mid-November 2024, FortiGuard Labs researchers report, and is attributed to the long-running cyber-espionage group Chinese Evasive Panda, also known as DaggerFly.

How ELF/Sshdinjector.A!tr works

ELF/Sshdinjector.A!tr is a collection of malware that can be injected into the secure shell daemon (sshd) program, which supports encrypted communications between two untrusted hosts over an insecure network or internet. This allows attackers to perform a broad range of actions without users’ knowledge. Fortinet has not revealed how the devices are initially breached.

The attack uses several binary files containing harmful code. An initial “dropper” checks if the device is already compromised by searching for a specific file —  /bin/lsxxxssswwdd11vv, containing the word “WATERDROP” — and checking whether it has root access (the highest level of access permissions).

If the device isn’t already infected, the malware drops several malicious binaries, including an SSH library, which communicates with a remote bot master, or command and control (C2) server. The C2 instructs the malware to gather information, monitor processes, steal credentials, and execute remote commands.

Several other binaries then work to ensure that the host remains infected (what’s known as malware persistence, or the ability to survive a program, browser, or computer closing down).

The bot master can execute 15 commands:

• Collect addresses and usernames and exfiltrate them;
• List running services by analyzing files in the directory /etc/init.d;
• Read sensitive user data from the text-based password file /etc/shadow;
• List all running process;
• Test access to system logs;
• Test access to sensitive data;
• List directory contents;
• Transfer files (upload or download);
• Open a remote shell terminal to give full command-line access;
• Execute the attacker’s commands;
• Remove and exit malicious processes from the device’s memory;
• Delete files;
• Rename files;
• Alert attackers that malware is active (“SERVER_RET_ONLINE_ACK”_);
• Send stolen data.

In a bit of taunting from its creators, the malicious payload includes functions named “haha,” “heihei” and “xixi,” (laughing, in Chinese).

Chinese Evasive Panda has been active since 2012, quite a long time for an espionage group, and has been credited for a number of recent attacks, including most recently a four-month-long operation that collected data from a large, unidentified US organization with a significant presence in China.

The group’s ELF/Sshdinjector.A!tr malware has commonly been used to establish remote access connections, capture keyboard inputs, collect system information, download/upload files, drop malware, perform denial-of-service (DoS) attacks, and terminate processes.

Fortinet said the malware will be detected in its client organizations whose antivirus database is up to date, and advised customers to quarantine and delete infected files and replace them with clean backup copies.

About half of the 63 security vendors listed on VirusTotal also detect the trojan as of publication time.