Novel SSH backdoor leveraged in Chinese cyberespionage attacks

Chinese cyberespionage operation Evasive Panda, also known as Daggerfly, has leveraged the new ELF/Sshdinjector.A!tr malware suite to take over network appliances' SSH daemon in intrusions since the middle of November, according to BleepingComputer.

Initial network appliance compromise and operation under root privileges will be verified before the deployment of the "libssdh.so" SSH library for data exfiltration and command-and-control communications and the "mainpasteheader" and "selfrecoverheader" binaries for persistence, an investigation from Fortinet FortiGuard Labs revealed. Injection of the SSH library into the SSH daemon will then be followed by the execution of commands enabling system data gathering, sensitive user data access, active process retrieval, remote shell execution for full command-line access, and other malicious activity, noted researchers, who leveraged artificial intelligence-based tools to facilitate ELF/Sshdinjector.A!tr analysis. "While disassemblers and decompilers have improved over the last decade, this cannot be compared to the level of innovation we are seeing with AI," researchers added.