Chinese Hackers Attacking Linux Devices With New SSH Backdoor

Feb. 5, 2025, 10:18 p.m.

Description

Chinese hackers, specifically the DaggerFly espionage group, are targeting Linux devices with a sophisticated SSH backdoor called ELF/Sshdinjector.A!tr. The Lunar Peek campaign, active since mid-November 2024, primarily focuses on network appliances and IoT devices. The attack involves a dropper that deploys malicious binaries, including a modified SSH library and infected versions of common utilities. The core backdoor communicates with a remote C2 server, enabling system information gathering, data exfiltration, and arbitrary command execution. The malware uses a custom communication protocol with hardcoded identifiers and can perform various actions through specific command IDs. Users are advised to keep their AntiVirus definitions up-to-date to mitigate the threat.

External References

https://cybersecuritynews.com/chinese-hackers-attacking-linux-devices/
https://otx.alienvault.com/pulse/67a3e0a43d76e9a2654dfdc4
Tags
linux
iot
c2 server
2025-02-05
ssh backdoor
network appliances
lunar peek campaign

Date

  • Created: Feb. 5, 2025, 10:05 p.m.
  • Published: Feb. 5, 2025, 10:05 p.m.
  • Modified: Feb. 5, 2025, 10:18 p.m.

Indicators

  • 0e2ed47c0a1ba3e1f07711fb90ac8d79cb3af43e82aa4151e5c7d210c96baebb
  • 94e8540ea39893b6be910cfee0331766e4a199684b0360e367741facca74191f
  • 45.125.64.200
Download all indicators here!

Attack Patterns

  • DaggerFly