Pygmy goat Backdoor

Subject: Pygmy goat Backdoor

Tactics: TA0003 Persistence

Technique: T1071 Application Layer Protocol, T1059 Command and Scripting Interpreter, T1574.006 Hijack Execution Flow: Dynamic Linker Hijacking, T1040 Network Sniffing, T1572 Protocol Tunneling, T1053 Scheduled Task/Job

Procedure:

Pygmy Goat uses the LD_PRELOAD environment variable to inject itself into the sshd process, ensuring it’s loaded and executed whenever the SSH daemon starts.

Vulnerability: EAV0005 When adversaries’ malware is detonated, they may be encouraged to operate in an unintended environment.

Engagement Opportunity:

Monitor for modifications or unexpected entries in system startup scripts and the LD_PRELOAD environment variable. Deviations from the normal configuration could indicate an attempt to establish persistence using techniques like dynamic linker hijacking.

Threat Actor: Unknown, potentially associated with attacks on FortiGate devices due to the presence of artifacts mimicking Fortinet software.

Threat Objective:

Establish persistent backdoor access to the network device, enabling a variety of malicious activities such as remote shell execution, network traffic capture, task scheduling, and proxying traffic to devices behind the firewall.

Deception Opportunity:

Deploy a honeypot mimicking a vulnerable network device. Configure it with deliberately weakened security settings or known vulnerabilities to entice attackers. Monitor the honeypot for signs of exploitation, including attempts to establish persistence using techniques like dynamic linker hijacking.

Sensor Data Placement: Kernel-Mode

Observable Level: Core to Some Implementations of (Sub-)Technique

Scoring Rationale:

Kernel-level monitoring is required to reliably detect the manipulation of the LD_PRELOAD environment variable and the subsequent loading of the malicious shared object into the sshd process. While this technique is not unique to Pygmy Goat, it is indicative of a specific approach to achieving persistence.

Link to Report: https://www.ncsc.gov.uk/files/Pygmy-Goat-Malware-Analysis-Report.pdf

Link to Report II.:

Additional Comments:

Pygmy Goat exhibits signs of modularity and potential for adaptability to different target environments. The presence of artifacts mimicking Fortinet software suggests a possible link to attacks on FortiGate devices. Continued analysis and monitoring are recommended to track the evolution and deployment of this malware.

Possible elements: Deception-as-a-Service (DaaS) Platform, Embedded Honeytokens

MSG (Pseudocode):

# Malicious Sub-Graph Standard

# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])

# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])

# Pygmy Goat Attack Graph

[1]: Persistence - T1574.006 Dynamic Linker Hijacking - Inject into sshd process using LD_PRELOAD (Core to Some Implementations of (Sub-)Technique)
[2]: Command and Control - T1071 Application Layer Protocol: TLS - Establish TLS connection with C2 server (Core to Adversary-Brought Tool)
[3]: Execution - T1059 Command and Scripting Interpreter: Unix Shell - Execute commands and scripts on victim device (Core to Pre-Existing Tool)
[4]: Collection - T1040 Network Sniffing - Capture network traffic using libpcap (Core to Some Implementations of (Sub-)Technique)
[5]: Execution - T1053 Scheduled Task/Job: Cron - Schedule tasks using crontab (Core to Pre-Existing Tool)
[6]: Command and Control - T1572 Protocol Tunneling - Create reverse SOCKS5 proxy using EarthWorm (Core to Adversary-Brought Tool)

1 --> 2 (Lack of System Monitoring)
2 --> 3 (Lack of System Monitoring)
2 --> 4 (Lack of System Monitoring)
2 --> 5 (Lack of System Monitoring)
2 --> 6 (Lack of Network Monitoring)

# Pseudocode Standard

# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]

# Pygmy Goat Pseudocode

function Persistence_T1574.006_Dynamic_Linker_Hijacking():
# Inject into sshd process using LD_PRELOAD
return persistent_backdoor

function Command_and_Control_T1071_Application_Layer_Protocol(persistent_backdoor):
# Establish TLS connection with C2 server
return C2_channel

function Execution_T1059_Command_and_Scripting_Interpreter(C2_channel):
# Execute commands and scripts on victim device
return command_execution_results

function Collection_T1040_Network_Sniffing(C2_channel):
# Capture network traffic using libpcap
return captured_network_traffic

function Execution_T1053_Scheduled_Task(C2_channel):
# Schedule tasks using crontab
return scheduled_tasks

function Command_and_Control_T1572_Protocol_Tunneling(C2_channel):
# Create reverse SOCKS5 proxy using EarthWorm
return reverse_proxy

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense