Cybersecurity researchers at FortiGuard Labs have uncovered a new malware strain, identified as ELF/Sshdinjector.A!tr, which has been linked to the notorious DaggerFly espionage group. The sophisticated threat has been used as part of the Lunar Peek campaign, targeting Linux-based network appliances and specializing in data exfiltration.
The Lunar Peek campaign, attributed to the DaggerFly espionage group, primarily targets Linux-based network appliances, which are often used in enterprise environments. By infecting these appliances, the attackers gain access to sensitive internal networks, providing them with the ability to carry out further malicious activities or steal valuable data.
The malware operates through multiple coordinated binaries that work together to compromise targeted systems. It is primarily designed for data exfiltration and stealthy persistence. The key components of ELF/Sshdinjector.A!tr include a dropper, which is responsible for ensuring that the system is not already infected before proceeding with the attack
It checks for root privileges and searches for a unique file called /bin/lsxxxssswwdd11vv, which contains the word "WATERDROP." If this file is not present, the system is considered uninfected, and the dropper proceeds to deploy the malicious payloads. If the system is clear, it begins overwriting critical system binaries, such as ls, netstat, and crond, with infected versions, thus ensuring continued access and maintaining persistence on the system.
The second key component is a modified version of the SSH library (libsshd.so), which enables communication between the compromised system and the attacker’s remote command-and-control (C2) server. The attackers can use this to execute arbitrary commands on the infected system, making the attack highly flexible.
The malware also deploys other infected binaries that allow it to maintain access to the system even if one component is detected and removed. Once the malicious binaries are in place, the malware establishes a secure connection with its C2 server using an encrypted, custom protocol. This secure channel allows the attackers to remotely control the infected machine and exfiltrate sensitive data, including: MAC addresses, user credentials, system information.
In addition to data exfiltration, the malware allows attackers to execute arbitrary commands on the infected system, facilitating further exploitation or data manipulation. The encrypted communication ensures that the attackers’ operations remain undetected, even if basic network monitoring is in place.