A new report from FortiGuard Labs reveals that Chinese hackers are actively targeting Linux devices with a sophisticated SSH backdoor dubbed ELF/Sshdinjector.A!tr.
This malware, attributed to the DaggerFly espionage group, has been used in the Lunar Peek campaign since mid-November 2024, primarily targeting network appliances and IoT devices.
The attack involves several malicious components working in tandem. The initial entry point is a dropper, which first verifies if it has root privileges.
Experts at Fortinet identified that if the system isn’t already compromised, the dropper deploys a suite of malicious binaries, including a modified SSH library named "libsshd.so" and infected versions of common utilities like "ls", "netstat", and "crond".
.webp)
The "libsshd.so" library is the core of the backdoor, equipped with the capability to communicate with a remote command-and-control (C2) server.
The primary malicious functionality resides within a function named “haha,” which spawns two additional threads from functions “heihei” and “xixi” – all terms signifying laughter in Chinese.
The “xixi” function monitors the "/root/intensify-mm-inject/ xxx" directory and restarts the SSH and Cron daemons if necessary.
The “heihei” function establishes a connection with the hardcoded C2 server at IP address 45.125.64[.]200 on ports 33200 or 33223, awaiting commands.
The malware uses a custom communication protocol with the C2 server, embedding a hard-coded UUID (a273079c-3e0f-4847-a075-b4e1f9549e88) and an identifier (afa8dcd81a854144) in each packet, along with the command response.
The C2 server can issue a variety of commands, including:-
| Command Id | Description |
|---|---|
| 1 | “SERVER_REQ_BASE_INFO”. Exfiltrates uname, MAC address etc to C2 |
| 2 | List running services, by listing files in “/etc/ init.d” |
| 3 | Reads users from “/etc/ shadow” |
| 4 | Lists running process |
| 5 | Tests access to “/var/log/ dmesg” |
| 6 | Tests access to “/tmp/ fcontr.xml” |
| 7 | Lists a given directory |
| 8 | File transfer |
| 9 | Opens a shell terminal |
| 10 | Executes a command in the terminal |
| 11 | Unloads and exits the malicious process |
| 12 | Removes a file |
| 13 | Renames a file |
| 1000 | “SERVER_RET_ONLINE_ACK” |
| 0x80000001 | Client status change notification. It sends base info, service list, read “/etc/ shadow”. |
This allows the attackers to gather system information, exfiltrate sensitive data, and execute arbitrary commands on the compromised device.
.webp)
It is highly recommended that users of Linux-based network appliances and IoT devices ensure their AntiVirus definitions are up-to-date.
Indicators of Compromise (IOCs)
FortiGuard Labs has identified the following Indicators of Compromise (IOCs):-
- SHA256:
94e8540ea39893b6be910cfee0331766e4a199684b0360e367741facca74191f - SHA256:
0e2ed47c0a1ba3e1f07711fb90ac8d79cb3af43e82aa4151e5c7d210c96baebb - C2 Server:
45.125.64[.]200:33200and45.125.64[.]200:33223
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free