A suspected nation-state threat actor exploited a recently disclosed vulnerability (CVE-2024-9474) in a Palo Alto network device to gain access, where the attacker then used curl to download a malicious file (bwmupdate) that installed a backdoor disguised as the logd service.
To achieve persistence, the malware modified the /etc/rc.local file and a function within the RedHat package manager to ensure the backdoor survives system upgrades, and the attacker injected a library into the running nginx process to intercept connections containing a specific pattern (magic knock).
Upon successful connection, the backdoor created a socket file (/tmp/clientsDownload.sock) to facilitate communication by leveraging the device’s SSL certificate for encryption and utilizing existing open ports to avoid detection.
It operates through a network of nodes, each with five core functions (file I/O, shell access, and three types of network tunneling), while commands are sent via a hijacked connection using a specific protocol.
Nodes communicate directly with the operator or through other nodes, with a unique identifier differentiating these interactions, where a basic frame structure facilitates communication, including routing information.
Nodes process messages based on their own IDs and forward messages to other nodes as needed, where protocol allows for adding and removing nodes from the network by utilizing a backdoor communication network with nodes interconnected.
Unique 32-bit identifiers, generated by a time-seeded PRNG, are used for connections, as nodes maintain a network view to route messages to other nodes, and upon new or lost connections, updates are broadcast to other nodes.
A user node has a special upstream connection for user messages. When a new user connection is established, the node resets its state and provides the user with a list of known nodes in the network, enabling communication with other nodes.
A communication protocol used by nodes to establish and manage connections between each other, which uses messages to initiate connections, notify other nodes of added or removed connections, and maintain a list of connected nodes.
Nodes can also listen for incoming connections on a specified port, which includes messages to request and respond with hostname and kernel version information, as well as messages to send echo requests and responses to keep connections alive and check for connectivity.
The backdoor supports remote shell access and file interaction on the compromised system, which communicates with the C2 server using messages, as Message 11 opens a shell session, Message 13 sends data to/from the shell, and Message 12 indicates shell open/close success.
File interaction involves opening a file for writing (message 14) or reading (message 15), followed by sending data (message 17) or receiving data (message 17) and closing the file (message 18), where the backdoor keeps track of file size and pointer using 64-bit integers.
The communication protocol between a client and a server for a network tunneling tool, where the client can establish multiple tunnels with the server using Tunnel 1 or Tunnel 2.
Each tunnel can be configured with a listener port and a protocol (TCP or UDP). The client can send and receive data over these tunnels, while the server can also initiate connections through the tunnels.
According to Northwave Cyber Security, the client can also configure a SOCKS5 proxy on the server, which proxy can be used to forward traffic to other destinations on the network.
 in a Palo Alto network device to gain access.){kind=link}