Analyzing ELF/Sshdinjector.A!tr with a Human and Artificial Analyst
By Axelle Apvrille
February 04, 2025
| Notes |
|---|
| sshdinjector |
| injection |
| SSH, sshd |
| DaggerFly (EVASIVE PANDA) espionage group |
| sshdinjector surfaced mid-November 2024 |
| reverse engineering |
| ELF |
| Linux malware |
| libsshd.so |
| dropper |
| exfiltration |
| mainpasteheader, selfrecoverheader |
| persistence |
| command and control |
| “the dropper checks if it is being run under root privileges and, if not, exits. It then checks whether the host is infected by searching for a file named /bin/lsxxxssswwdd11vv containing the word WATERDROP.” |
| “If the host is not yet infected, it attempts to overwrite the legitimate binaries ls, netstat, and crond with infected binaries” |
| attribution via language (Chinese words for laughter: heihei, xixi) |
| – list of c2 commands |
| hard-coded IP addresses |
| “Communication with the C2 uses its own protocol. All packets include a hard-coded UUID (a273079c-3e0f-4847-a075-b4e1f9549e88), an identifier (afa8dcd81a854144), and the response to the command.” |
| Radare2 |
| r2ai radare2 extention |
| generative AI |
| disassembler |
| iz – r2 command to search strings |
| AI output details often incorrect |
| decompiler output is correct, but often hard to read |
| AI hallucination |
| AI extrapolation |
| MAC address |
| AI omissions |
| – hash IoCs |