There’s a new trojan on the block, one that specifically targets network appliances and internet of things (IoT) devices running the open-source Linux operating system.
FortiGuard Labs has identified a new malware kit, dubbed “ELF/Sshdinjector.A!tr“, that has the ability to infect and remotely control systems, establish root privilege, maintain malware presence, exfiltrate data such as user credentials or Media Access Control (MAC) addresses, and execute commands from and securely communicate with remote masters.
The trojan has been used in attacks since mid-November 2024, FortiGuard Labs researchers report, and is attributed to the long-running cyber-espionage group Chinese Evasive Panda, also known as DaggerFly.
ELF/Sshdinjector.A!tr is a collection of malware that can be injected into the secure shell daemon (sshd) program, which supports encrypted communications between two untrusted hosts over an insecure network or internet. This allows attackers to perform a broad range of actions without users’ knowledge. Fortinet has not revealed how the devices are initially breached.
The attack uses several binary files containing harmful code. An initial “dropper” checks if the device is already compromised by searching for a specific file — /bin/lsxxxssswwdd11vv, containing the word “WATERDROP” — and checking whether it has root access (the highest level of access permissions).
If the device isn’t already infected, the malware drops several malicious binaries, including an SSH library, which communicates with a remote bot master, or command and control (C2) server. The C2 instructs the malware to gather information, monitor processes, steal credentials, and execute remote commands.
Several other binaries then work to ensure that the host remains infected (what’s known as malware persistence, or the ability to survive a program, browser, or computer closing down).
The bot master can execute 15 commands:
In a bit of taunting from its creators, the malicious payload includes functions named “haha,” “heihei” and “xixi,” (laughing, in Chinese).
Chinese Evasive Panda has been active since 2012, quite a long time for an espionage group, and has been credited for a number of recent attacks, including most recently a four-month-long operation that collected data from a large, unidentified US organization with a significant presence in China.
The group’s ELF/Sshdinjector.A!tr malware has commonly been used to establish remote access connections, capture keyboard inputs, collect system information, download/upload files, drop malware, perform denial-of-service (DoS) attacks, and terminate processes.
Fortinet said the malware will be detected in its client organizations whose antivirus database is up to date, and advised customers to quarantine and delete infected files and replace them with clean backup copies.
About half of the 63 security vendors listed on VirusTotal also detect the trojan as of publication time.
Taryn Plumb is a freelance writer specializing in AI and cybersecurity. She has also written about data infrastructure, quantum computing, networking hardware and software, and the metaverse. In a previous life she was a news and features reporter for The Boston Globe and numerous other outlets and business journals. She is also the author of several regional history books.
Sponsored Links
About The Author
More Stories
Community-Centered Connectivity Initiatives Earn Viddy Awards Recognition
Zombie IXPs: The Four Types of Exchanges That Refuse to Die, but Fail to Live
The Shift in Peering Threatening the Internet’s Foundations