Chinese Hackers Deploy Stealthy SSH Backdoor to Infiltrate Network Devices

Chinese Hackers Deploy Stealthy SSH Backdoor to Infiltrate Network Devices

Chinese Hacking Group Targets Network Appliances with Advanced SSH Daemon Malware

A sophisticated Chinese cyber-espionage group, known as Evasive Panda (DaggerFly), has been discovered deploying a new malware suite targeting network appliances since mid-November 2024. The attack suite, dubbed “ELF/Sshdinjector.A!tr” by Fortinet’s Fortiguard researchers, infiltrates SSH daemons to maintain persistent access and conduct covert operations.

Attack Methodology:
– The malware initially checks for root privileges and existing infections
– Deploys multiple binaries, including a malicious SSH library (libssdh.so)
– Injects code into the SSH daemon for command and control (C2) communications
– Establishes persistence through specialized components

Key Capabilities:
1. System reconnaissance
2. Credential theft
3. Process monitoring
4. Remote command execution
5. File manipulation

The malware supports 15 distinct commands, enabling attackers to:
– Collect system information
– Monitor services and processes
– Access sensitive user data
– Manipulate files
– Establish remote shell access
– Execute arbitrary commands

Evasive Panda, active since 2012, has a history of sophisticated attacks, including:
– MacOS backdoor deployment
– Supply chain attacks targeting Asian ISPs
– Intelligence gathering operations against U.S. organizations

Fortinet has implemented protection measures through its FortiGuard AntiVirus service, detecting the threat as ELF/Sshdinjector.A!tr and Linux/Agent.ACQ!tr. The discovery highlights the evolving sophistication of state-sponsored cyber threats and the importance of robust network security measures.

Share This Article