XZ backdoor: Hook analysis


In their first article on the XZ backdoor, Kaspersky researchers analyzed its code from initial infection to the function hooking it performs. As they mentioned then, its initial goal was to successfully hook one of the functions related to RSA key manipulation.

In this article, the research team will focus on the backdoor’s behaviour inside OpenSSH, specifically OpenSSH portable version 9.7p1 – the most recent version at this time. To better understand what’s going on, they recommend you to read Baeldung’s article about SSH authentication methods and JFrog’s article about privilege separation in SSH.

Read more…
Source: Kaspersky


Sign up for our Newsletter


Related:

  • A Deep Dive into a New ValleyRAT Campaign Targeting Chinese Speakers

    August 15, 2024

    FortiGuard Labs recently encountered an ongoing ValleyRAT campaign specifically targeting Chinese speakers. This malware has historically targeted e-commerce, finance, sales, and management enterprises. ValleyRAT is a multi-stage malware that utilizes diverse techniques to monitor and control its victims and deploy arbitrary plugins to cause further damage. Another noteworthy characteristic of this malware is its heavy usage ...

  • Tusk: unraveling a complex infostealer campaign

    August 15, 2024

    Kaspersky Global Emergency Response Team (GERT) has identified a complex campaign, consisting of multiple sub-campaigns orchestrated by Russian-speaking cybercriminals. The sub-campaigns imitate legitimate projects, slightly modifying names and branding and using multiple social media accounts to increase their credibility. In their analysis GERT researchers observed that all the active sub-campaigns host the initial downloader on Dropbox. ...

  • Ongoing Social Engineering Campaign Refreshes Payloads

    August 12, 2024

    On June 20, 2024, Rapid7 identified multiple intrusion attempts by threat actors utilizing techniques, tactics, and procedures (TTPs) that are consistent with an ongoing social engineering campaign being tracked by Rapid7. The initial lure being utilized by the threat actors remains the same: an email bomb followed by an attempt to call impacted users and offer ...

  • SharpRhino malware targets IT admins

    August 7, 2024

    Fake Angry IP Scanner will make you furious – or maybe remind you of how the Hive gang went about its banal business The latest malware from upstart criminal gang Hunters International appears to be targeting network admins, using malicious code disguised as the popular networking tool Angry IP Scanner.… The software nasty, dubbed SharpRhino on ...

  • LianSpy: new Android spyware targeting Russian users

    August 5, 2024

    In March 2024, Kaspersky researchers discovered a campaign targeting individuals in Russia with previously unseen Android spyware they dubbed LianSpy. Kaspersky analysis indicates that the malware has been active since July 2021. This threat is equipped to capture screencasts, exfiltrate user files, and harvest call logs and app lists. The malicious actor behind LianSpy employs multiple ...

  • Fighting Ursa Luring Targets With Car for Sale

    August 2, 2024

    A Russian threat actor Palo Alto Unit 42 track as Fighting Ursa advertised a car for sale as a lure to distribute HeadLace backdoor malware. The campaign likely targeted diplomats and began as early as March 2024. Fighting Ursa (aka APT28, Fancy Bear and Sofacy) has been associated with Russian military intelligence and classified as an ...