Healthcare
Education
IT & Telecom
Government
CISO/CTO
DevSecOps
Product
Our Product
We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.
Solutions
By Industry
BFSI
Healthcare
Education
IT & Telecom
Government
By Role
CISO
Application Security Engineer
DevsecOps Engineer
IT Manager
Resources
Resource Library
Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.
Subscribe to Our Weekly Threat Digest
Company
Contact Us
Have queries, feedback or prospects? Get in touch and we shall be with you shortly.
WaterDrop
PRISM
Linux
Modified PRISM Backdoor 'WaterDrop' targeting Linux Systems
A modified strain of PRISM Backdoor dubbed as WaterDrop is targeting several Linux-based systems while maintaining zero detection on Virus Total...
27-Aug-2021
3 min read
A recently discovered modified strain of the PRISM Backdoor dubbed WaterDrop is affecting several Linux-based Systems and has been active for approximately 3.5 years.
Security experts at AT&T labs issued a report disclosing particulars of a newly discovered Linux ELF executables cluster having zero to low antivirus disclosures on VirusTotal. According to them, these executables possess a new variant of the open-source backdoor PRISM that is used by threat actors in several campaigns.
The oldest samples detected by AT&T labs date back to 2017, and several of them avoid detection by VirusTotal that usually detects malicious URLs and files efficiently.
###PRISM and its Malware Variants:
PRISM is a straightforward, open-source backdoor with accurately defined traffic. Its binaries are quick to detect. The researchers concluded that smaller campaigns could easily avoid detections through virus detectors while significant operations are relatively easy to recognize.
The researchers at AT&T Labs dubbed one of the PRISM variants as WaterDrop that uses a quickly detectable user agent string, agent-waterdropx, for HTTP-based C&C communications and accesses subdomains of the waterdropx[.]com domain. They found several versions tagged as PRISMv1.
AT&T labs wrote a blog post mentioning that "The threat actor behind this variant has managed to maintain a zero or almost-zero detection score in VirusTotal for its samples and domains. This is most likely due to their campaigns being fairly small in size. The waterdropx[.]com domain was registered to the current owner on August 18, 2017."
After a thorough analysis, PRISMv2 and v3 have been detected that incorporated XOR encryption, e.g., the BASH command strings, to hide sensitive data.
Recently, ATA&T faced another massive data breach that led to the auction of 70 million user databases, exposing critical personal information by the infamous threat actor, ShinyHunters. ATA&T rebuffed all claims related to the incident.
The blog post concluded by stating that "This fact, combined with the open-source nature of the backdoor, impedes us from properly tracking the actor(s) activity."
Related Articles
Solutions
Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.
Find Us Online
contact@secureblink.com
