U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

Linux backdoor Fokirtor implements covert communication protocol

In May sophisticated attackers breached a large Internet hosting provider and gained access to internal administrative systems using a singular Linux backdoor. Symantec security researchers have discovered a Linux backdoor, dubbed Fokirtor, that implements a covert communication protocol to hide its presence. The experts revealed that the malicious code was used to compromise a large […]

Linux backdoor Fokirtor implements covert communication protocol

In May sophisticated attackers breached a large Internet hosting provider and gained access to internal administrative systems using a singular Linux backdoor.

Symantec security researchers have discovered a Linux backdoor, dubbed Fokirtor, that implements a covert communication protocol to hide its presence. The experts revealed that the malicious code was used to compromise a large hosting provider ‬in May.

The Linux backdoor masquerades its traffic within the legitimate one, in particular exploiting traffic of legitimate SSH connections.

The attackers used the Linux backdoor to syphon customer personal information including credentials and emails, the malicious code uses the Blowfish encryption algorithm to encrypt data sent back to the command-and-control servers.

linux backdoor

When the Linux backdoor infects the victim it gathers the following information from the compromised computer:

  • Peer host name and IP address
  • Peer port
  • Password
  • SSH key
  • User name

and encrypts the above information and sends it to the remote attacker.

The Trojan then opens a back door and allows a remote attacker to perform the following actions on the compromised computer: 

  • Steal files from the computer
  • Other malicious activities

According the analysis proposed by Symantec researchers  the choice of implementing a similar Linux backdoor is motivated by the fact that attackers were aware of the advanced level of security of the target, for this reason the cyber criminals needed to remain under coverage avoiding to trigger defense systems with anomalous traffic.

The attackers have disguised the legitimate processes including  Secure Shell (SSH) with their Linux backdoor as described in the post:

“This backdoor allowed an attacker to perform the usual functionality — such as executing remote commands — however, the backdoor did not open a network socket or attempt to connect to a command-and-control server (C&C). Rather, the backdoor code was injected into the SSH process to monitor network traffic and look for the following sequence of characters: colon, exclamation mark, semi-colon, period (“:!;.”). After seeing this pattern, the back door would parse the rest of the traffic and then extract commands which had been encrypted with Blowfish and Base64 encoded.”

Practically the Linux backdoor doesn’t use its own communication channel, instead it exploits particular sequences of character to delimit its traffic within the legitimate data exchanged during an SSH connection.

The Symantec analysts conclude that the Linux backdoor found is different from any other Linux malicious code previously detected, because it suggests the new tactics for further malware.

Pierluigi Paganini

(Security Affairs – Linux backdoor, Malware, cybercrime)