Analyzing ELF/Sshdinjector.A!tr with a Human and Artificial Analyst www.fortinet.com/blog/thre…

ELF/Sshdinjector.A!tr is a collection of malware that can be injected into the SSH daemon. Samples of this malware collection surfaced around mid-November 2024. While we have a good amount of threat intelligence on them (e.g., they are attributed to the DaggerFly espionage group and were used during the Lunar Peek campaign against network appliances), nobody seems to have looked into what they actually do. In this blog post, we will focus on the reverse engineering of the attack’s binaries and how this reverse engineering was achieved.

The attack uses several binaries: A dropper checks if the host is infected. If not, it drops all malicious binaries (see Figure 1) at the right places. A malicious SSH library named libsshd.so communicates with a remote bot master and will typically exfiltrate information. Several other infected binaries (mainpasteheader, selfrecoverheader,…) ensure the host remains infected (malware persistence).

More precisely, the dropper checks if it is being run under root privileges and, if not, exits. It then checks whether the host is infected by searching for a file named /bin/lsxxxssswwdd11vv containing the word WATERDROP. If the host is not yet infected, it attempts to overwrite the legitimate binaries ls, netstat, and crond with infected binaries