Executive Summary
Evasive Panda was recently observed using an SSH backdoor to target network devices. Detected as ELF/Sshdinjector.A!tr, the backdoor is used to hijack the SSH daemon on network appliances.
Key Takeaways
- Evasive Panda was recently observed using an SSH backdoor to target network devices.
- Detected as ELF/Sshdinjector.A!tr, the backdoor is used to hijack the SSH daemon on network appliances.
- Malware capabilities include reconnaissance, credential theft, process monitoring, RCE, and file manipulation.
The Backdoor
Evasive Panda was recently observed using an SSH backdoor to target network devices. Detected as ELF/Sshdinjector.A!tr, the backdoor is used to hijack the SSH daemon on network appliances by injecting malware in the process. This gives the threat actors persistent access, allowing them to conduct covert espionage operations. Fortinet recently reported on this activity.
The initial method of infection is unknown. However, once the device is compromised, a dropper checks if the device was already infected and if it is running under root privileges. Next, the dropper drops several binaries, including an SSH library, onto the victim machine. This file serves as the main backdoor component, facilitating C2 communications and allowing threat actors to exfiltrate data. Additional binaries establish persistence.
The SSH library is injected into the SSH daemon and awaits commands from the C2. Malware capabilities include reconnaissance, credential theft, process monitoring, RCE, and file manipulation. More specifically, there are fifteen supported commands capable of the following:
- Collecting and exfiltrating system details
- Checking files in /etc/init.d and listing installed services
- Reading sensitive user data
- Retrieving a list of active processes
- Attempting to access system logs
- Checking /tmp/fcontr.xml for sensitive data
- Listing directory contents
- Uploading and downloading files
- Opening a remote shell
- Remote command execution
- Stopping and removing the malicious process from memory
- Deleting specific files
- Renaming files
- Notifying the threat actor that the malware is active
- Exfiltrating stolen data
Samples of ELF/Sshdinjector.A!tr were first observed in November 2024 and were attributed to the China nexus APT group Evasive Panda, also known as DaggerFly. The threat actor group used this malware in a campaign known as Lunar Peek.
Who is Evasive Panda?
Evasive Panda, also known as Bronze Highland and Daggerfly, is a China-aligned threat actor group. Evasive Panda has been active since at least 2012 and is known to conduct espionage campaigns against individual targets in China, Hong Kong, Macao, and Nigeria. They have also targeted government entities in Southeast and East Asia, telecommunications entities in Africa, and unspecified entities in Hong Kong, India, and Malaysia.
The group is known to use adversary-in-the-middle attacks, hijacking updates of legitimate software to deliver its backdoors. Other Evasive Panda TTPs include use of a custom malware framework with modular architecture and the MgBot and Nightdoor backdoors.
IOCs
PolySwarm has multiple samples associated with this activity.
0e2ed47c0a1ba3e1f07711fb90ac8d79cb3af43e82aa4151e5c7d210c96baebb
94e8540ea39893b6be910cfee0331766e4a199684b0360e367741facca74191f
6d08ba82bb61b0910a06a71a61b38e720d88f556c527b8463a11c1b68287ce84
You can use the following CLI command to search for all Evasive Panda samples in our portal:
$ polyswarm link list -t EvasivePanda
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
