Custom “Pygmy Goat” Malware Used in Sophos Firewall Hack on Government Network

Summary: The UK’s National Cyber Security Centre (NCSC) has analyzed a Linux malware named “Pigmy Goat,” which backdoors Sophos XG firewall devices as part of attacks attributed to Chinese threat actors. The malware employs advanced techniques for persistence and remote access, highlighting a significant threat to network security.

Threat Actor: Chinese nation-state actors | Chinese threat actors
Victim: Sophos XG firewall devices | Sophos XG firewall

Key Point :

  • The “Pigmy Goat” malware is a rootkit that uses the LD_PRELOAD environment variable to gain backdoor access to Linux-based networking devices.
  • It monitors SSH traffic for specific “magic bytes” to identify backdoor sessions and communicates with its Command and Control (C2) server over TLS.
  • Detection measures include monitoring for specific file hashes and unusual behavior in the SSH daemon process.

Goat

UK’s National Cyber Security Centre (NCSC) has published an analysis of a Linux malware named “Pigmy Goat” created to backdoor Sophos XG firewall devices as part of recently disclosed attacks by Chinese threat actors.

Last week, Sophos published a series of reports dubbed “Pacific Rim” that detailed five-year attacks by Chinese threat actors on edge networking devices.

One of the custom malware used in these attacks is a rootkit that closely impersonated Sophos product file naming conventions. 

The malware, which is designed for compromising network devices, features advanced persistence, evasion, and remote access mechanisms and has a rather complex code structure and execution paths.

Although the NCSC report does not attribute the observed activity to known threat actors, it underlines similar techniques, tactics, and procedures (TTPs) to the “Castletap” malware, which Mandiant has associated with a Chinese nation-state actor.

Sophos has also disclosed the same malware in its Pacific Rim report, stating the rootkit was used in 2022 attacks linked to a Chinese threat actor known as “Tstark.”

“X-Ops identified two copies of libsophos.so, both deployed using CVE-2022-1040 — one on a high-level government device and the other on a technology partner to the same government department,” shared Sophos.

A goat in the firewall

The ‘Pygmy Goat’ malware is an x86-32 ELF shared object (‘libsophos.so’) providing threat actors with backdoor access to Linux-based networking devices such as the Sophos XG firewalls.

It uses the LD_PRELOAD environment variable to load its payload into the SSH daemon (sshd), allowing it to hook into the daemon’s functions and override the accept function, which processes incoming connections.

Pygmy Goat monitors SSH traffic for a specific sequence of “magic bytes” in the first 23 bytes of each package.

The "magic bytes" sequence
The “magic bytes” sequence
Source: NCSC

Once that sequence is found, the connection is identified as a backdoor session, and the malware redirects it to an internal Unix socket (/tmp/.sshd.ipc) to establish communication with its Command and Control (C2).

The malware also listens on a raw ICMP socket, waiting for packets with an AES-encrypted payload that holds IP and port information for C2 communication, which triggers a connect-back attempt over TLS.

ICMP-based exchange overview
ICMP-based exchange overview
Source: NCSC

Pygmy Goat communicates with the C2 over TLS, using an embedded certificate mimicking Fortinet’s “FortiGate” CA, a potential cover for blending into network environments where Fortinet devices are common.

When an SSH connection is established, a fake handshake with pre-set responses is triggered to create a false image of legitimacy on network monitors.

The C2 server can send Pygmy Goat commands for execution on the device, including the following:

  • Open either a /bin/sh or /bin/csh shell.
  • Start capturing network traffic via libpcap, forwarding results to C2.
  • Manage cron tasks using BusyBox to schedule activities when the actor isn’t actively connected.
  • Use the EarthWorm open-source toolkit to establish a SOCKS5 reverse proxy, allowing C2 traffic to traverse the network unseen.

Detection and defense

The NCSC report contains file hashes and YARA and Snort rules that detect the magic byte sequences and fake SSH handshake, so defenders can use them to catch Pygmy Goat activity early on.

Additionally, manual checks for /lib/libsophos.so, /tmp/.sshd.ipc, /tmp/.fgmon_cli.ipc, /var/run/sshd.pid, and /var/run/goat.pid, can reveal an infection.

It is also advisable to set up monitoring for encrypted payloads in ICMP packets and use of ‘LD_PRELOAD’ in the environment of the ‘ssdh’ process, which is unusual behavior that may indicate Pygmy Goat activity.

Source: https://www.bleepingcomputer.com/news/security/custom-pygmy-goat-malware-used-in-sophos-firewall-hack-on-govt-network