Tricephalic Hellkeeper: a tale of a passive backdoor
by Tristan Pourcelot
ExaTrack 2022
https://exatrack.com/public/Tricephalic_Hellkeeper.pdf
| Notes |
|---|
| backdoor |
| passive backdoor |
| Linux malware |
| Solaris |
| TCP, UDP, ICMP |
| BPF |
| malware |
| stealth malware |
| command and control |
| callback |
| cd00r |
| Phenoelit |
| port knocking |
| Duqu2 - portserv.sys |
| driver |
| Equation Group |
| Bvp47 |
| DewDrop |
| implant |
| Turla |
| Uroburos rootkit |
| netstat |
| can piggyback off an already opened port |
| inactive unless activated by the attacker |
| magic packet |
| bind shell |
| reverse shell |
| root user |
| IoC |
| relaunch from memory to avoid filesystem artifacts |
| /dev/shm |
| process masquerading |
| prctl PR_SET_NAME |
| timestomping utimes |
| 0x490a083c (2008-10-30T20:17:16). |
| tcpdump |
| bytecode |
| opcode |
| libpcap pcap_setfilter |
| setsockopt SO_ATTACH_FILTER |
| pseudocode |
| Ghidra |
| disassembler |
| IPv4 |
| password: justtryit, justrobot, justforfun |
| socket, sockettcp |
| bind/reverse shells renamed to /usr/libexec/postfix/master |
| PROMPT environment variable |
| environment variable |
| HISTFILE=/dev/null |
| MYSQL_HISTFILE=/dev/null |
| PS1 |
| HOME |
| MD5 |
| string hashing |
| RC4 |
| malware had a bug in it |
| this sample wasn’t new, novel, or complicated however it provided long-term access |
| malware changed keywords, commands, etc on each iteration. possibly to avoid detection |
| GossiTheDog |
| PwC |
| BPFDoor |
| Red Menshen threat actor |
| Troopers 2022 |
| xinetd |
| YARA |