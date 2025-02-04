A new malware strain, ELF/Sshdinjector.A!tr, has been linked to the DaggerFly espionage group and used in the Lunar Peek campaign to target Linux-based network appliances. Its primary function is data exfiltration.

How the Malware Works

Uncovered by cybersecurity researchers at FortiGuard Labs, the malware operates using multiple binaries that work together to infect a system:

Dropper : Checks if the system is already infected; if not, it deploys malicious binaries

: Checks if the system is already infected; if not, it deploys malicious binaries libsshd.so : A modified SSH library that communicates with a remote command-and-control (C2) server

: A modified SSH library that communicates with a remote command-and-control (C2) server Other infected binaries: Ensure continued access to the infected system

More specifically, the dropper verifies if it has root privileges before proceeding. It then searches for a specific file named /bin/lsxxxssswwdd11vv containing the word “WATERDROP” to determine if the system is already compromised. If not, the malware overwrites legitimate system binaries such as ls, netstat and crond with infected versions.

Key Features of the Malware

FortiGuard Labs identified the following as key features of the malware strain:

System infection : Overwrites key system binaries to maintain persistence

: Overwrites key system binaries to maintain persistence Remote control : Uses a modified SSH library to communicate with attackers

: Uses a modified SSH library to communicate with attackers Data exfiltration : Extracts sensitive system information such as MAC addresses and user credentials

: Extracts sensitive system information such as MAC addresses and user credentials Command execution : Executes arbitrary commands sent by the attacker

: Executes arbitrary commands sent by the attacker Custom protocol : Uses an encrypted protocol for secure communication with C2 servers

: Uses an encrypted protocol for secure communication with C2 servers Root privilege verification: Ensures administrative access before executing payloads

AI-Assisted Reverse Engineering

In analyzing the malware, FortiGuard researchers utilized AI-powered tools like Radare2’s r2ai extension for reverse engineering.

While AI accelerated the decompilation process and simplified code summaries, it also revealed limitations, such as generating non-existent commands or omitting details. As a result, FortiGuard said human analysts were crucial in verifying findings, correcting inaccuracies and guiding the investigation.

To mitigate risks, security professionals managing Linux systems are advised to apply updates, monitor network activity for unusual behavior and employ advanced endpoint protection.