New malware linked to DaggerFly espionage group targets Linux-based network devices

 New malware linked to DaggerFly espionage group targets Linux-based network devices

Cybersecurity researchers at FortiGuard Labs have uncovered a new malware strain, identified as ELF/Sshdinjector.A!tr, which has been linked to the notorious DaggerFly espionage group. The sophisticated threat has been used as part of the Lunar Peek campaign, targeting Linux-based network appliances and specializing in data exfiltration.

The Lunar Peek campaign, attributed to the DaggerFly espionage group, primarily targets Linux-based network appliances, which are often used in enterprise environments. By infecting these appliances, the attackers gain access to sensitive internal networks, providing them with the ability to carry out further malicious activities or steal valuable data.

The malware operates through multiple coordinated binaries that work together to compromise targeted systems. It is primarily designed for data exfiltration and stealthy persistence. The key components of ELF/Sshdinjector.A!tr include a dropper, which is responsible for ensuring that the system is not already infected before proceeding with the attack

It checks for root privileges and searches for a unique file called /bin/lsxxxssswwdd11vv, which contains the word "WATERDROP." If this file is not present, the system is considered uninfected, and the dropper proceeds to deploy the malicious payloads. If the system is clear, it begins overwriting critical system binaries, such as ls, netstat, and crond, with infected versions, thus ensuring continued access and maintaining persistence on the system.

The second key component is a modified version of the SSH library (libsshd.so), which enables communication between the compromised system and the attacker’s remote command-and-control (C2) server. The attackers can use this to execute arbitrary commands on the infected system, making the attack highly flexible.

The malware also deploys other infected binaries that allow it to maintain access to the system even if one component is detected and removed. Once the malicious binaries are in place, the malware establishes a secure connection with its C2 server using an encrypted, custom protocol. This secure channel allows the attackers to remotely control the infected machine and exfiltrate sensitive data, including: MAC addresses, user credentials, system information.

In addition to data exfiltration, the malware allows attackers to execute arbitrary commands on the infected system, facilitating further exploitation or data manipulation. The encrypted communication ensures that the attackers’ operations remain undetected, even if basic network monitoring is in place.


Back to the list

Latest Posts

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

The two men arrested in Spain are accused of overseeing the global distribution of Sky ECC devices and software.
12 February 2025
Sandworm APT targets Ukraine with trojanized Microsoft KMS activation tools

Sandworm APT targets Ukraine with trojanized Microsoft KMS activation tools

The attackers utilized a BACKORDER loader to deploy DarkCrystal RAT.
12 February 2025
North Korean Kimsuky adopted a new tactic to infiltrate targets

North Korean Kimsuky adopted a new tactic to infiltrate targets

The new tactic involves the threat actor tricking individuals into executing PowerShell commands as administrators.
12 February 2025