In their first article on the XZ backdoor, Kaspersky researchers analyzed its code from initial infection to the function hooking it performs. As they mentioned then, its initial goal was to successfully hook one of the functions related to RSA key manipulation.
In this article, the research team will focus on the backdoor’s behaviour inside OpenSSH, specifically OpenSSH portable version 9.7p1 – the most recent version at this time. To better understand what’s going on, they recommend you to read Baeldung’s article about SSH authentication methods and JFrog’s article about privilege separation in SSH.
Read more…
Source: Kaspersky
Related:
- Custom Malware Collects Billions of Stolen Data Points
June 9, 2021
Researchers have uncovered a 1.2-terabyte database of stolen data, lifted from 3.2 million Windows-based computers over the course of two years by an unknown, custom malware. The heisted info includes 6.6 million files and 26 million credentials, and 2 billion web login cookies – with 400 million of the latter still valid at the time ...
- Gootkit: the cautious Trojan
June 7, 2021
Gootkit is complex multi-stage banking malware that was discovered for the first time by Doctor Web in 2014. Initially it was distributed via spam and exploits kits such as Spelevo and RIG. In conjunction with spam campaigns, the adversaries later switched to compromised websites where the visitors are tricked into downloading the malware. Gootkit is capable ...
- Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments
June 7, 2021
In March 2021, I uncovered the first known malware targeting Windows containers, a development that is not surprising given the massive surge in cloud adoption over the past few years. I named the malware Siloscape (sounds like silo escape) because its primary goal is to escape the container, and in Windows this is implemented mainly ...
- Novel ‘Victory’ Backdoor Spotted in Chinese APT Campaign
June 7, 2021
An ongoing surveillance operation has been uncovered that targets a Southeast Asian government, researchers said – using a previously unknown espionage malware. According to Check Point Research, the attack involves spear-phishing emails with malicious Word documents to gain initial access, along with the exploitation of older, known Microsoft Office security vulnerabilities. But most notable, researchers said, ...
- New SkinnyBoy malware used by Russian hackers to breach sensitive orgs
June 3, 2021
Security researchers have discovered a new piece of malware called SkinnyBoy that was used in spear-phishing campaigns attributed to Russian-speaking hacking group APT28. The threat actor, also known as Fancy Bear, Sednit, Sofacy, Strontium, or PwnStorm, used SkinnyBoy in attacks targeting military and government institutions earlier this year. SkinnyBoy is intended for an intermediary stage of the ...
- DarkSide on Linux: Virtual Machines Targeted
May 28, 2021
As we discussed in our previous blog, the DarkSide ransomware is targeting organizations in manufacturing, finance, and critical infrastructures in regions such as the United States, France, Belgium, and Canada. The DarkSide ransomware targets both Windows and Linux platforms. We also noticed that the Linux variant, in particular, targets ESXI servers. In this blog, we focus ...

