
A sophisticated Chinese cyber-espionage group, known as Evasive Panda (DaggerFly), has been discovered deploying a new malware suite targeting network appliances since mid-November 2024. The attack suite, dubbed “ELF/Sshdinjector.A!tr” by Fortinet’s Fortiguard researchers, infiltrates SSH daemons to maintain persistent access and conduct covert operations.
Attack Methodology:
– The malware initially checks for root privileges and existing infections
– Deploys multiple binaries, including a malicious SSH library (libssdh.so)
– Injects code into the SSH daemon for command and control (C2) communications
– Establishes persistence through specialized components
Key Capabilities:
1. System reconnaissance
2. Credential theft
3. Process monitoring
4. Remote command execution
5. File manipulation
The malware supports 15 distinct commands, enabling attackers to:
– Collect system information
– Monitor services and processes
– Access sensitive user data
– Manipulate files
– Establish remote shell access
– Execute arbitrary commands
Evasive Panda, active since 2012, has a history of sophisticated attacks, including:
– MacOS backdoor deployment
– Supply chain attacks targeting Asian ISPs
– Intelligence gathering operations against U.S. organizations
Fortinet has implemented protection measures through its FortiGuard AntiVirus service, detecting the threat as ELF/Sshdinjector.A!tr and Linux/Agent.ACQ!tr. The discovery highlights the evolving sophistication of state-sponsored cyber threats and the importance of robust network security measures.