NCSC researchers have uncovered a sophisticated backdoor dubbed “Pygmy Goat” that was deployed on compromised Sophos XG firewall devices.
The malware, discovered by the National Cyber Security Centre (NCSC), provides attackers with persistent access and powerful capabilities to maintain a foothold in victim networks.
Pygmy Goat is a native x86-32 ELF shared object that leverages the LD_PRELOAD technique to inject itself into infected devices’ SSH daemon (sshd) process.
This allows the malware to hook critical functions and intercept network traffic through the firewall. The backdoor employs multiple methods to establish command and control (C2) communications.
It can monitor incoming ICMP packets for specially crafted messages containing encrypted callback information.
Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs
Additionally, it hooks the SSH accept function to search for a specific byte sequence in incoming connections, which can be used as an alternative C2 channel.
Once activated, Pygmy Goat provides attackers with an array of capabilities, including:
- Spawning remote shells (/bin/sh and /bin/csh)
- Creating cron tasks for persistence
- Capturing network packets
- Establishing a reverse SOCKS proxy to access internal networks
The malware uses TLS encryption for C2 communications and verifies the server certificate against an embedded CA certificate masquerading as one from Fortinet.
This suggests the attackers may have initially developed the backdoor to target FortiGate devices before adapting it for Sophos firewalls.
Researchers noted that while Pygmy Goat doesn’t employ novel techniques, it demonstrates a high level of sophistication in blending in with normal network traffic and responding on-demand to attacker commands.
The clean, well-structured code suggests it was developed by skilled threat actors. Given these devices’ critical role in network security, the discovery of Pygmy Goat on Sophos XG firewalls is particularly concerning.
As perimeter defenses, compromised firewalls can provide attackers with a persistent foothold and visibility into all traffic entering and leaving an organization’s network.
This incident underscores the importance of securing network infrastructure devices and monitoring them for signs of compromise. Organizations using Sophos XG firewalls should immediately check for indicators of compromise and apply any available security updates.
The NCSC has released detection rules and YARA signatures to help identify Pygmy Goat infections. Key indicators include the presence of suspicious files like “/lib/libsophos.so” and unusual Unix sockets such as “/tmp/.sshd.ipc”.
While initially found on Sophos devices, researchers warn that Pygmy Goat’s design suggests it could potentially target a broader range of Linux-based network appliances.
The malware’s flexibility and use of FortiGate-themed elements indicate the attackers may be expanding their focus to multiple firewall vendors.
This discovery follows recent reports of other threat actors targeting network infrastructure, including Mandiant’s findings on attacks against FortiGate devices using similar tactics.
As attackers increasingly focus on these critical chokepoints, organizations must prioritize the security of their network appliances and implement robust monitoring to detect and respond to such sophisticated backdoors quickly.
Continuous vigilance, prompt patching, and defense-in-depth strategies are essential in protecting against evolving network infrastructure threats.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!