XZ backdoor: Hook analysis


In their first article on the XZ backdoor, Kaspersky researchers analyzed its code from initial infection to the function hooking it performs. As they mentioned then, its initial goal was to successfully hook one of the functions related to RSA key manipulation.

In this article, the research team will focus on the backdoor’s behaviour inside OpenSSH, specifically OpenSSH portable version 9.7p1 – the most recent version at this time. To better understand what’s going on, they recommend you to read Baeldung’s article about SSH authentication methods and JFrog’s article about privilege separation in SSH.

Read more…
Source: Kaspersky


Sign up for our Newsletter


Related:

  • Bloody Wolf strikes organizations in Kazakhstan with STRRAT commercial malware

    July 31, 2024

    Since late 2023, BI.ZONE Threat Intelligence experts have been tracking the activity of Bloody Wolf. The cluster attacks organizations in Kazakhstan with STRRAT, a commercial malware also known as Strigoi Master. The attackers send out phishing emails on behalf of the Ministry of Finance of the Republic of Kazakhstan and other agencies. The emails have PDF ...

  • Mandrake spyware sneaks onto Google Play again, flying under the radar for two years

    July 29, 2024

    In April 2024, Kaspersky researchers discovered a suspicious sample that appeared to be a new version of Mandrake. Ensuing analysis revealed as many as five Mandrake applications, which had been available on Google Play from 2022 to 2024 with more than 32,000 installs in total, while staying undetected by any other vendor. The new samples included ...

  • North Korean hackers are targeting Apple Mac devices with updated malware

    July 19, 2024

    North Korean state-sponsored threat actors are once again setting up fake job interviews in a bid to infect unsuspecting victims with infostealing malware – but this time around, they are focusing on Apple users. Cybersecurity researcher Patrick Wardle recently discovered a new variant of BeaverTail, a known infostealer capable of grabbing sensitive information from web browsers ...

  • APT41 Has Arisen From the DUST

    July 18, 2024

    Recently, Mandiant became aware of an APT41 intrusion where the malicious actor deployed a combination of ANTSWORD and BLUEBEAM web shells for persistence. These web shells were identified on a Tomcat Apache Manager server and active since at least 2023. APT41 utilized these web shells to execute certutil.exe to download the DUSTPAN dropper to stealthily load ...

  • New Attack Technique GrimResource Sweeps Through China with Fake Website

    July 17, 2024

    QiAnXin Threat Intelligence Center and Falcon Operations Team observed in their daily operations that in June 2024, several foreign counterparts reported in-the-wild attacks related to the new attack technique GrimResource. QiAnXin Threat Intelligence Center and Falcon Operations Team promptly conducted research on this technique and have been continuously monitoring it. In mid-July 2024, they discovered the ...

  • New Bugsleep Backdoor Deployed In Recent Muddywater Campaigns

    July 15, 2024

    MuddyWater, an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS), is known to be active since at least 2017. During the last year, MuddyWater engaged in widespread phishing campaigns targeting the Middle East, with a particular focus on Israel. Since October 2023, the actors’ activities have increased significantly. Their methods remain consistent, ...