This article investigates the ELF/Sshdinjector.A!tr malware, attributed to the DaggerFly group, focusing on its reverse engineering and functionality. The malware targets Linux-based network appliances and IoT devices, posing a medium severity threat with potential for data exfiltration. Techniques such as precise methods of binary infection and remote command execution are highlighted. Affected: Linux-based network appliances, IoT devices
Keypoints :
- The ELF/Sshdinjector.A!tr malware is linked to the DaggerFly espionage group, used during the Lunar Peek campaign.
- It comprises several binaries including a dropper, malicious SSH library (libsshd.so), and persistence mechanisms.
- The dropper verifies if the host is infected by checking specific files before deploying malware.
- Malicious payload functions allow data exfiltration and command execution via a remote C2 server.
- The AI-assisted reverse engineering process improved understanding of the malware but highlighted issues of hallucination and omission.
- Fortinet’s FortiGuard Labs already provides protections against this malware variant.
MITRE Techniques :
- TA0001 – Initial Access: The dropper checks for root access and attempts to inject malicious binaries.
- TA0011 – Command and Control: The malware connects to a remote C2 server at a hard-coded IP address (45.125.64[.]200).
- TA0040 – Exfiltration: Exfiltrates sensitive information (e.g., uname, MAC address) to the C2 server.
- TA0020 – Credential Access: The malware reads user information from /etc/shadow.
- TA0002 – Execution: Executes commands locally and remotely through a shell terminal.
Indicator of Compromise :
- [SHA-256] 94e8540ea39893b6be910cfee0331766e4a199684b0360e367741facca74191f
- [SHA-256] 0e2ed47c0a1ba3e1f07711fb90ac8d79cb3af43e82aa4151e5c7d210c96baebb
- [SHA-256] 6d08ba82bb61b0910a06a71a61b38e720d88f556c527b8463a11c1b68287ce84