Digital Forensics: Digital Forensics: Crypto Exchange XT Is Hacked for $1.7M Digital Forensics: The exchange said users’ funds are safe. Nov 28, 2024, 11:00 a.m. Cryptocurrency exchange XT.com has suffered a hack worth $1.7 million, according to blockchain security firm PeckShield. The stolen funds were converted to ether (ETH) and now [...]
UK’s National Cyber Security Centre (NCSC) has published an analysis of a Linux malware named “Pigmy Goat” created to backdoor Sophos XG firewall devices as part of recently disclosed attacks by Chinese threat actors.
One of the custom malware used in these attacks is a rootkit that closely impersonated Sophos product file naming conventions.
The malware, which is designed for compromising network devices, features advanced persistence, evasion, and remote access mechanisms and has a rather complex code structure and execution paths.
Although the NCSC report does not attribute the observed activity to known threat actors, it underlines similar techniques, tactics, and procedures (TTPs) to the “Castletap” malware, which Mandiant has associated with a Chinese nation-state actor.
Sophos has also disclosed the same malware in its Pacific Rim report, stating the rootkit was used in 2022 attacks linked to a Chinese threat actor known as “Tstark.”
“X-Ops identified two copies of libsophos.so, both deployed using CVE-2022-1040 — one on a high-level government device and the other on a technology partner to the same government department,” shared Sophos.
Computer Forensics Company: A goat in the firewall
The ‘Pygmy Goat’ malware is an x86-32 ELF shared object (‘libsophos.so’) providing threat actors with backdoor access to Linux-based networking devices such as the Sophos XG firewalls.
It uses the LD_PRELOAD environment variable to load its payload into the SSH daemon (sshd), allowing it to hook into the daemon’s functions and override the accept function, which processes incoming connections.
Pygmy Goat monitors SSH traffic for a specific sequence of “magic bytes” in the first 23 bytes of each package.
Once that sequence is found, the connection is identified as a backdoor session, and the malware redirects it to an internal Unix socket (/tmp/.sshd.ipc) to establish communication with its Command and Control (C2).
The malware also listens on a raw ICMP socket, waiting for packets with an AES-encrypted payload that holds IP and port information for C2 communication, which triggers a connect-back attempt over TLS.
Pygmy Goat communicates with the C2 over TLS, using an embedded certificate mimicking Fortinet’s “FortiGate” CA, a potential cover for blending into network environments where Fortinet devices are common.
When an SSH connection is established, a fake handshake with pre-set responses is triggered to create a false image of legitimacy on network monitors.
The C2 server can send Pygmy Goat commands for execution on the device, including the following:
Open either a /bin/sh or /bin/csh shell.
Start capturing network traffic via libpcap, forwarding results to C2.
Manage cron tasks using BusyBox to schedule activities when the actor isn’t actively connected.
Use the EarthWorm open-source toolkit to establish a SOCKS5 reverse proxy, allowing C2 traffic to traverse the network unseen.
Computer Forensics Company: Detection and defense
The NCSC report contains file hashes and YARA and Snort rules that detect the magic byte sequences and fake SSH handshake, so defenders can use them to catch Pygmy Goat activity early on.
Additionally, manual checks for /lib/libsophos.so, /tmp/.sshd.ipc, /tmp/.fgmon_cli.ipc, /var/run/sshd.pid, and /var/run/goat.pid, can reveal an infection.
It is also advisable to set up monitoring for encrypted payloads in ICMP packets and use of ‘LD_PRELOAD’ in the environment of the ‘ssdh’ process, which is unusual behavior that may indicate Pygmy Goat activity.
Digital Forensics: Serving tech enthusiasts for over 25 years. TechSpot means tech analysis and advice you can trust. In context: CovertNetwork-1658 is a stark reminder of the ongoing cat-and-mouse game between cybersecurity ...
Digital Forensics: Digital Forensics: Crypto Exchange XT Is Hacked for $1.7M Digital Forensics: The exchange said users’ funds are safe. Nov 28, 2024, 11:00 a.m. Cryptocurrency exchange XT.com has suffered a [...]
Post comments (0)