Chinese Cyberspies Use New SSH Backdoor in Network Device Hacks

A newly discovered cyber-espionage campaign has revealed that a Chinese hacking group, identified as Evasive Panda (also known as DaggerFly), is leveraging a sophisticated SSH backdoor to infiltrate network appliances. This campaign, active since mid-November 2024, highlights the advanced capabilities of Chinese cyber operatives and their focus on persistent, covert operations. The implications of such attacks stretch beyond individual organizations, posing risks to national security, critical infrastructure, and global supply chains.

The Discovery of ELF/Sshdinjector.A!tr

Researchers from Fortinet's FortiGuard Labs uncovered a malware suite named "ELF/Sshdinjector.Atr," which is central to these attacks. This malware is injected directly into the SSH daemon, allowing the attackers to maintain persistent access to compromised systems. The malware suite consists of various binaries designed to facilitate command and control (C2) communications, data exfiltration, and system manipulation.

FortiGuard notes that while this malware has been observed in previous incidents, comprehensive analytical reports detailing its inner workings were lacking until now. Their research sheds light on the methods used by Evasive Panda to achieve its espionage goals, providing invaluable insights into the evolving tactics of state-sponsored actors.

A Decade of Espionage: The Evasive Panda Group

• Evasive Panda has been active since at least 2012, with a history of high-profile cyber-espionage activities. Recently, the group was linked to:
• Deploying a novel macOS backdoor.
• Conducting supply chain attacks via ISPs in Asia.
• Gathering intelligence from U.S. organizations during a four-month-long operation.

Their latest operations indicate a shift towards targeting network appliances, which serve as critical infrastructure in both public and private sectors. This strategic focus suggests that Evasive Panda aims to exploit the often-overlooked security gaps within network hardware to establish footholds that are difficult to detect and eradicate.

How the Attack Works

Although FortiGuard has not disclosed the initial breach vector, the infection process begins once the attackers compromise a network device. A dropper component is deployed to verify if the device is already infected and whether it has root privileges. If these conditions are met, several malicious binaries are installed, including:

libssdh.so: The primary backdoor responsible for C2 communications and data exfiltration.

mainpasteheader: Assists in maintaining persistence on the infected device.

selfrecoverheader: Ensures the malware can recover from disruptions.

These components work in unison to ensure the attackers retain control over the compromised systems, even after reboots or security updates. The resilience of this malware highlights the need for advanced detection and response mechanisms within modern cybersecurity frameworks.

The Infection Chain

Once injected into the SSH daemon, the malicious library awaits commands from the attackers C2 servers. The malware supports a range of functions designed to give the attackers comprehensive control over the infected system.

Supported Commands Include:

• System Reconnaissance: Collect system details such as hostname and MAC address.
• Service Enumeration: List installed services by checking etc init.d.
• Credential Theft: Read sensitive user data from etc shadow.
• Process Monitoring: Retrieve active processes running on the system.
• Log Access: Attempt to access var log dmesg for system logs.
• Sensitive Data Retrieval: Read potential sensitive data from tmp fcontr.xml.
• Directory Listing: List the contents of specified directories.
• File Transfer: Upload or download files between the system and the attackers.
• Remote Shell: Provide full command-line access to the attackers.
• Command Execution: Execute arbitrary commands remotely.
• Malware Cleanup: Stop and remove the malicious process from memory.
• File Deletion: Delete specific files from the system.
• File Manipulation: Rename files on the system.
• Malware Activity Notification: Notify attackers that the malware is active.
• Data Exfiltration: Send stolen system information, service lists, and user credentials.

Advanced Analysis Techniques

FortiGuard utilized AI-assisted tools to reverse engineer and analyze ELF Sshdinjector.Atr. The researchers noted that while AI tools faced challenges such as hallucination, extrapolation, and omissions, they demonstrated promising potential in enhancing malware analysis.

While disassemblers and decompilers have improved over the last decade, this cannot be compared to the level of innovation we are seeing with AI, Fortinet's researchers commented. This highlights the growing role of artificial intelligence in cybersecurity defense and research, providing analysts with faster, more accurate insights into complex threats.

AI-assisted analysis enables researchers to detect patterns, identify anomalies, and predict potential attack vectors with greater precision. As cyber threats become increasingly sophisticated, leveraging AI will be crucial in staying ahead of adversaries.

Impact and Threat Landscape

The use of SSH backdoors like ELF Sshdinjector.A!tr represents a significant threat to organizations worldwide. By compromising network appliances, attackers can bypass traditional security measures, maintain long-term access, and exfiltrate sensitive data without detection.

Evasive Panda's activities underscore the need for robust security practices, including:

Regular security audits of network devices.

Strong access control policies.

Continuous monitoring for unusual SSH activity.

Timely patching of vulnerabilities in network infrastructure.

Implementing multi-factor authentication (MFA) for critical systems.

Deploying intrusion detection and prevention systems (IDPS).

These measures can significantly reduce the risk of compromise and improve an organization's ability to detect and respond to sophisticated threats.

Fortinet's Mitigation Measures

Fortinet has confirmed that its customers are protected against this malware through its FortiGuard AntiVirus service, which detects threats as:

ELF Sshdinjector.A!tr

Linux Agent.ACQ!tr

Additionally, FortiGuard shared hashes of malware samples uploaded to VirusTotal, enabling other security vendors to update their detection mechanisms. This collaborative approach within the cybersecurity community is essential for rapidly identifying and mitigating emerging threats.

Global Cybersecurity Implications

The discovery of ELF Sshdinjector.A!tr raises concerns about the broader implications of such cyber-espionage activities. State-sponsored hacking groups often target critical infrastructure, government agencies, and major corporations to gain strategic advantages. These attacks can disrupt supply chains, compromise sensitive data, and even threaten national security.

The international community must prioritize cybersecurity cooperation, sharing intelligence, and best practices to counter these threats effectively. Collaborative efforts between governments, private sector organizations, and cybersecurity researchers are vital in building resilient defenses against state-sponsored cyber operations.

Conclusion

The discovery of ELF Sshdinjector.A!tr and its use by the Evasive Panda group illustrates the evolving nature of cyber threats. As state-sponsored hacking groups develop more sophisticated tools, organizations must adopt proactive cybersecurity measures to defend against these threats.

The ongoing investigation into Evasive Panda's activities will likely reveal more about their capabilities and targets. Meanwhile, security professionals are urged to remain vigilant, continuously update their defenses, and collaborate wit threat intelligence communities to share information and best practices.

In the face of such advanced threats, the importance of cybersecurity resilience cannot be overstated. Organizations must stay ahead of attackers through innovation, vigilance, and a commitment to robust security protocols. Investing in advanced detection technologies, employee training, and international cooperation will be key to safeguarding the digital landscape in an increasingly interconnected world.