November 4, 2024 at 12:49PM
The UK’s NCSC analyzed “Pygmy Goat,” a Linux malware targeting Sophos XG firewalls used in attacks by Chinese threat actors. It employs advanced techniques for maintaining persistence and remote access. The report offers detection strategies and highlights similarities with “Castletap” malware linked to state-sponsored actors.
### Meeting Takeaways
1. **Malware Overview**: The UK’s National Cyber Security Centre (NCSC) has released an analysis of a Linux malware named “Pigmy Goat,” specifically targeting Sophos XG firewall devices as part of recent attacks attributed to Chinese threat actors. Sophos also published a report named “Pacific Rim,” detailing five years of similar attacks.
2. **Characteristics of Pigmy Goat**:
– It is a rootkit that mimics the naming conventions of Sophos product files.
– Features advanced capabilities for persistence, evasion, and remote access with complex coding and execution paths.
3. **Connection to Chinese Threat Actors**:
– While the NCSC report does not specifically attribute the malware to known actors, it highlights similar tactics to “Castletap,” which is linked to a Chinese state actor by Mandiant.
– Sophos has identified the rootkit as part of attacks in 2022 attributed to a Chinese threat actor named “Tstark.”
4. **Malware Functionality**:
– The Pigmy Goat malware takes the form of an x86-32 ELF shared object (‘libsophos.so’) and provides a backdoor into Linux-based networking devices.
– It loads its payload into the SSH daemon, monitors for specific “magic bytes” to trigger backdoor communication, and connects back to its Command and Control (C2) server using encrypted payloads over TLS.
5. **C2 Communication**:
– Communication involves listening on raw ICMP sockets and using an embedded certificate mimicking Fortinet’s CA for blending into networks with Fortinet devices.
– Commands that can be executed by Pygmy Goat include:
– Opening shell sessions,
– Capturing network traffic,
– Managing cron tasks,
– Setting up a SOCKS5 reverse proxy.
6. **Detection and Defense Measures**:
– The NCSC report offers detection methods including file hashes and YARA/Snort rules for identifying the malware’s activity.
– Manual checks on specific system files and monitoring unusual behaviors like the use of ‘LD_PRELOAD’ in SSH processes are recommended for early detection of infections.
7. **Additional Context**: Related discussions on cybersecurity threats included similar malware incidents affecting Windows systems, ATM malware variants, and targeted campaigns against specific servers, highlighting a trend of increasing complexity in malware used in cyber threats.
### Next Steps
– Investigate the recommended detection methods and implement monitoring solutions.
– Review and reinforce current defenses against potential malware targeting networking devices.
– Stay updated on trends in malware attacks to ensure proactive security measures are in place.