Introduction
This document provides an analysis of a sophisticated dropper malware that targets system binaries and services to establish persistence and facilitate remote control.
Description
The dropper malware first checks for root privileges before executing its payload and assesses whether the system has already been compromised by searching for a specific file named /bin/lsxxxssswwdd11vv that contains the word “WATERDROP.” If no infections are detected, the dropper proceeds to overwrite legitimate system binaries [1] [3], including ls [2] [3], netstat [1] [2] [3], and crond [1] [2] [3], with infected versions [2] [3]. Additionally, it infects the SSH daemon by utilizing a modified library named libsshd.so, which houses the main payload within a function called “haha.” This library spawns two additional threads through functions named “heihei” and “xixi.” The “xixi” function verifies access to a designated directory and has the capability to restart the SSH and Cron daemons if necessary. Meanwhile, the “heihei” function establishes a connection to a remote command-and-control (C2) server at a hard-coded IP address (4512564200) and listens for commands via a custom protocol [1]. All communication packets are embedded with a hard-coded UUID (a273079c3e0f4847a075b4e1f9549e88) and an identifier (afa8dcd81a854144) [1]. To ensure persistence on the infected system [1], the malware employs several other binaries, including selfrecoverheader and mainpasteheader [1], thereby maintaining continued access to the compromised environment.
Conclusion
The presence of this dropper malware poses significant security risks, including unauthorized access and control over infected systems. Mitigation strategies should focus on monitoring for unusual modifications to system binaries and network traffic to the specified C2 server. Future implications include the potential for more advanced variants that could evade detection and employ more sophisticated persistence mechanisms. Regular updates to security protocols and systems are essential to counteract such evolving threats.
References
[1] https://www.fortinet.com/blog/threat-research/analyzing-elf-sshdinjector-with-a-human-and-artificial-analyst
[2] https://www.infosecurity-magazine.com/news/daggerfly-linux-malware-network/
[3] https://osintcorp.net/daggerfly-linked-linux-malware-targets-network-appliances/
