DAGGERFLY
SSH
Chinese hacking group Evasive Panda uses ELF/Sshdin,jector.A!tr malware to hijac...
In a recent surge of cyber-espionage activities, the Chinese hacking group Evasive Panda, also known as DaggerFly, has unleashed a sophisticated malware attack targeting network appliances. The attack, which began in mid-November 2024, leverages a newly discovered attack suite called **ELF/Sshdin.jector.A!tr**, injecting malicious code into the SSH daemon for **persistent access** and **covert operations**. This highly organized breach has sparked significant concerns in the cybersecurity landscape, as it enables the hackers to remain undetected and gain full control over compromised systems.
#### **What is ELF/Sshdin.jector.A!tr?**
The **ELF/Sshdinjector.A!tr** is a malware component injected directly into the SSH daemon, which is a core process on network appliances that allows secure remote communication. Once installed, it enables attackers to perform an array of covert operations, including **system reconnaissance**, **data exfiltration**, **credential theft**, and remote control of the device.
Researchers at **Fortinet's FortiGuard Labs** have disclosed that this malware suite is highly evasive and designed to operate **without detection**, even if the device is actively monitored. The malware acts as a **backdoor**, allowing hackers to execute malicious commands and extract critical data from compromised machines over extended periods.
#### **Attack Sequence**
The infiltration begins when the attackers deploy a dropper onto the device. This dropper checks if the device is **already infected** and confirms if it is operating with **root privileges**. If the conditions are met, several malicious binaries are dropped onto the target device. Among these, the **SSH library (_li.bs.sdh.so_)** becomes the key backdoor component that facilitates **Command and Control (C2) communications** and **data exfiltration**.
##### **Malicious Binaries Involved:**
1. **lib.s.sdh.so** - Main backdoor for C2 communication.
2. **mainpasteheader** and **selfrecoverheader** - These help in maintaining persistence, ensuring that the malware remains active, even after a reboot or system recovery.
#### **Key Malware Functions**
Once installed, _ELF/Sshdi.njector.A!tr_ provides a comprehensive toolkit for the attackers, supporting a range of **remote and covert activities**. The malware is capable of executing up to **fifteen distinct commands**, designed to infiltrate deeper into the compromised system and secure sensitive information. Below are the key actions this malware can perform:
1. **System Information Collection:**
- Gathers crucial system details like **hostname**, **MAC address**, and other identifying information.
- The collected data is then **exfiltrated** to the attacker, which can be used for further exploitation or to identify potential targets.
2. **Service Enumeration:**
- Identifies installed services by accessing system files in **_/etc/i.nit.d_**. This information helps attackers understand the vulnerabilities and service configurations present on the system.
3. **Credential Theft:**
- The malware can **read sensitive user data** from critical files like **/etc/sha.dow**, which contains hashed user passwords.
- Once the credentials are stolen, they can be used to access other systems in the network.
4. **Process Monitoring:**
- Retrieves a list of **active processes** running on the system, allowing attackers to monitor and manipulate ongoing operations.
5. **Log File Exfiltration:**
- Attempts to access **/ var / log /d.m.esg**_, which contains system logs that may reveal critical vulnerabilities or prior attacks.
- The malware can also attempt to read _**/ tmp / fco.ntr.xm.l**_, potentially looking for additional sensitive data.
6. **File Manipulation:**
- Allows the attackers to **list contents** of directories, **upload/download files**, **rename files**, **delete specific files**, and even execute **remote commands** on the infected device.
7. **Remote Command Execution:**
- The attackers can execute arbitrary commands, enabling them to take full control over the system.
8. **Persistence and Clean-up:**
- The malware ensures its **persistence** on the infected device by stopping and removing malicious processes from memory, making it harder for the victim to remove the threat.
- It also cleans up traces by deleting logs or other system records that could lead to detection.
9. **Exfiltration of Stolen Data:**
- Steals system information, service lists, and user credentials and sends them back to the attackers’ Command and Control servers.
10. **Covert Communication:**
- The malware notifies the attacker when it is successfully **activated** and operational.
#### **How Does the Malware Operate Unnoticed?**
ELF/Ssh.din.ject.or.A!tr is designed for stealth. The process begins by injecting directly into the SSH daemon, the malware operates as part of the legitimate system process, which makes it incredibly difficult to detect through traditional security measures. The use of **binary injection** means the malware exists in the system without alerting security software, allowing it to function covertly for long periods.
This method also allows the malware to remain **persistent**, even if the system is rebooted or temporarily patched. Unlike typical malware, which may be removed by rebooting or system scans, this type of injection guarantees that the hacker remains in control of the compromised device.
#### **AI in Malware Analysis**
In an effort to analyze this malware, FortiGuard researchers leveraged **AI-assisted tools** to reverse-engineer and dissect ELF/Ssh.dinje.ctor.A!tr. While traditional disassemblers and decompilers were used in the past, AI tools proved to be more effective in identifying and tracking the malware’s behavior in real time. These AI tools provided insight into previously undocumented parts of the malware and helped in the **deeper analysis** of its communication patterns and data exfiltration methods.
However, Fortinet also highlighted the challenges faced by AI, including issues like **hallucination**, **extrapolation**, and **omissions** in the analysis. Nevertheless, the potential of AI in cybersecurity is clear, offering significant improvements in how malware is detected and neutralized.
#### **Who is Behind the Attack?**
Evasive Panda (also known as **DaggerFly**) is a Chinese cyber-espionage group that has been active since 2012. This group has been behind a series of **highly targeted attacks**, including **novel macOS backdoor deployments**, **supply chain attacks** via ISPs in Asia, and a four-month-long espionage campaign against U.S. organizations.
Their operations typically target organizations with significant geopolitical value, allowing them to conduct long-term intelligence-gathering missions. This attack against SSH daemons marks a new chapter in their sophisticated and evolving tactics. The ability to exploit network appliances for persistent control is a testament to the **advanced capabilities** of this cyber-espionage group.
#### **Fortinet’s Protection Against ELF/Sshd.inje.ctor.A!tr**
Fortunately, Fortinet's **FortiGuard AntiVirus** service has already implemented defenses against ELF/Ssh;dinjector.A!tr. The threat is detected under the signatures *ELF/Ssh.dinjec.tor.A!tr* and *Linux/Agent.AC;Q!tr*, ensuring that affected users and organizations are already protected against the attack.
#### **Mitigation and Recommendations**
Organizations are urged to take the following actions to mitigate risks:
1. **Regular Security Audits:** Conduct routine checks on network appliances for unusual behavior or signs of compromise.
2. **Implement SSH Security Best Practices:** Use strong authentication methods, such as **public key authentication**, to prevent unauthorized access to SSH daemons.
3. **Monitor System Processes:** Watch for any anomalous processes running under root privileges that could indicate a malware injection.
4. **Use AI-powered Security Tools:** Leverage AI-assisted tools to detect sophisticated malware that might evade traditional antivirus programs.
