XZ backdoor: Hook analysis


In their first article on the XZ backdoor, Kaspersky researchers analyzed its code from initial infection to the function hooking it performs. As they mentioned then, its initial goal was to successfully hook one of the functions related to RSA key manipulation.

In this article, the research team will focus on the backdoor’s behaviour inside OpenSSH, specifically OpenSSH portable version 9.7p1 – the most recent version at this time. To better understand what’s going on, they recommend you to read Baeldung’s article about SSH authentication methods and JFrog’s article about privilege separation in SSH.

Read more…
Source: Kaspersky


Sign up for our Newsletter


Related:

  • Phishing attacks leveraging HTML code inside SVG files

    April 21, 2025

    With each passing year, phishing attacks feature more and more elaborate techniques designed to trick users and evade security measures. Attackers employ deceptive URL redirection tactics, such as appending malicious website addresses to seemingly safe links, embed links in PDFs, and send HTML attachments that either host the entire phishing site or use JavaScript to ...

  • Cascading Shadows: An Attack Chain Approach to Avoid Detection and Complicate Analysis

    April 16, 2025

    In December 2024, Palo Alto Unit 42 researchers uncovered an attack chain that employs distinct, multi-layered stages to deliver malware like Agent Tesla variants, Remcos RAT or XLoader. Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution. The phishing campaign we analyzed used deceptive ...

  • BPFDoor’s Hidden Controller Used Against Asia, Middle East Targets

    April 14, 2025

    The stealthy rootkit-like malware known as BPFDoor (detected as Backdoor.Linux.BPFDOOR) is a backdoor with strong stealth capabilities, most of them related to its use of Berkeley Packet Filtering (BPF). In a previous article, Trend Micro researchers covered how BPFDoor and BPF-enabled malware work. BPFDoor has been active for at least four years, with a report by ...

  • Suspected Kimsuky (APT-Q-2) attacks South Korean companies

    April 11, 2025

    Kimsuky, alias Mystery Baby, Baby Coin, Smoke Screen, Black Banshe, etc., is tracked internally by Qi’anxin as APT-Q-2. The APT group was publicly disclosed in 2013, with attack activity dating as far back as 2012. Kimsuky’s main target for attacks has been South Korea, involving defense, education, energy, government, healthcare, and think tanks, with a focus ...

  • GOFFEE continues to attack organizations in Russia

    April 10, 2025

    GOFFEE is a threat actor that first came to our attention in early 2022. Since then, Kaspersky researchers have observed malicious activities targeting exclusively entities located in the Russian Federation, leveraging spear phishing emails with a malicious attachment. Starting in May 2022 and up until summer of 2023, GOFFEE deployed modified Owowa (malicious IIS module) in ...

  • How ToddyCat tried to hide behind AV software

    April 7, 2025

    To hide their activity in infected systems, APT groups resort to various techniques to bypass defenses. Most of these techniques are well known and detectable by both EPP solutions and EDR threat-monitoring and response tools. In early 2024, while investigating ToddyCat-related incidents, Kaspersky researchers detected a suspicious file named version.dll in the temp directory on multiple ...