Chinese Hackers Target Linux Devices with New SSH Backdoor

In a sophisticated cyber-espionage campaign, a Chinese hacking group known as DaggerFly has been linked to deploying a new malware strain targeting Linux-based systems.

The malware, identified as ELF/Sshdinjector.A!tr, infiltrates the Secure Shell (SSH) daemon to establish persistent access and execute covert operations.

This campaign, codenamed “Lunar Peek,” has been active since mid-November 2024 and primarily targets network appliances and Internet-of-Things (IoT) devices.

FortiGuard Labs researchers uncovered this malware, attributing it to the DaggerFly group, also referred to as Evasive Panda.

The group has a history of conducting cyber-espionage campaigns dating back to 2012, including supply chain attacks and intelligence gathering from high-value targets in Asia and the United States.

Technical Breakdown of ELF/Sshdinjector.A!tr

The attack begins with a “dropper” component that checks for root privileges and determines whether the target system is already infected.

If not, the dropper deploys malicious binaries, including a modified SSH library (libsshd.so), which serves as the primary backdoor.

This library enables communication with a remote command-and-control (C2) server and facilitates data exfiltration.

Key functionalities of the malware include:

• System Infection: Overwriting legitimate binaries such as ls, netstat, and crond with infected versions.
• Persistence: Ensuring the malware remains active by restarting critical services like SSH and Cron daemons.
• Data Exfiltration: Extracting sensitive information, including MAC addresses, user credentials and system logs.
• Remote Command Execution: Allowing attackers to execute arbitrary commands or open shell terminals on compromised devices.

The malware supports 15 distinct commands, ranging from listing running processes to transferring files and executing terminal commands.

Communication between the infected device and the C2 server is encrypted using a custom protocol, enhancing its stealth capabilities.

Interestingly, some functions within the malicious payload are humorously named “haha,” “heihei,” and “xixi,” which translate to laughter in Chinese perhaps mocking cybersecurity defenses.

AI-Assisted Analysis Highlights Malware Complexity

FortiGuard Labs utilized AI-powered tools like Radare2’s r2ai extension to reverse-engineer ELF/Sshdinjector.A!tr.

While AI accelerated the analysis process by summarizing code behavior and generating readable source code, human oversight was crucial to address inaccuracies such as hallucinated functionalities or omitted details.

The collaboration between human analysts and AI revealed the malware’s intricate design but also underscored limitations in relying solely on automated tools for threat analysis.

Fortinet reports that its customers are protected against this malware through updated antivirus signatures, including ELF/Sshdinjector.A!tr and Linux/Agent.ACQ!tr.

This attack highlights the growing sophistication of threats targeting Linux platforms, especially IoT devices often lacking robust security measures.

As attackers continue to evolve their techniques, proactive defense mechanisms remain critical to safeguarding digital infrastructure.

Also Read:

Hacktivist Groups Threaten Large-Scale Operations

See more