Chinese hacking group Evasive Panda uses ELF/Sshdin,jector.A!tr malware to hijack SSH daemons for persistent access and covert operations on network appliances

Continue reading
In a recent surge of cyber-espionage activities, the Chinese hacking group Evasive Panda, also known as DaggerFly, has unleashed a sophisticated malware attack targeting network appliances. The attack, which began in mid-November 2024, leverages a newly discovered attack suite called ELF/Sshdin.jector.A!tr, injecting malicious code into the SSH daemon for persistent access and covert operations. This highly organized breach has sparked significant concerns in the cybersecurity landscape, as it enables the hackers to remain undetected and gain full control over compromised systems.
The ELF/Sshdinjector.A!tr is a malware component injected directly into the SSH daemon, which is a core process on network appliances that allows secure remote communication. Once installed, it enables attackers to perform an array of covert operations, including system reconnaissance, data exfiltration, credential theft, and remote control of the device.
Researchers at Fortinet's FortiGuard Labs have disclosed that this malware suite is highly evasive and designed to operate without detection, even if the device is actively monitored. The malware acts as a backdoor, allowing hackers to execute malicious commands and extract critical data from compromised machines over extended periods.
The infiltration begins when the attackers deploy a dropper onto the device. This dropper checks if the device is already infected and confirms if it is operating with root privileges. If the conditions are met, several malicious binaries are dropped onto the target device. Among these, the SSH library (_li.bs.sdh.so_) becomes the key backdoor component that facilitates Command and Control (C2) communications and data exfiltration.
Once installed, _ELF/Sshdi.njector.A!tr_ provides a comprehensive toolkit for the attackers, supporting a range of remote and covert activities. The malware is capable of executing up to fifteen distinct commands, designed to infiltrate deeper into the compromised system and secure sensitive information. Below are the key actions this malware can perform:
ELF/Ssh.din.ject.or.A!tr is designed for stealth. The process begins by injecting directly into the SSH daemon, the malware operates as part of the legitimate system process, which makes it incredibly difficult to detect through traditional security measures. The use of binary injection means the malware exists in the system without alerting security software, allowing it to function covertly for long periods.
This method also allows the malware to remain persistent, even if the system is rebooted or temporarily patched. Unlike typical malware, which may be removed by rebooting or system scans, this type of injection guarantees that the hacker remains in control of the compromised device.
In an effort to analyze this malware, FortiGuard researchers leveraged AI-assisted tools to reverse-engineer and dissect ELF/Ssh.dinje.ctor.A!tr. While traditional disassemblers and decompilers were used in the past, AI tools proved to be more effective in identifying and tracking the malware’s behavior in real time. These AI tools provided insight into previously undocumented parts of the malware and helped in the deeper analysis of its communication patterns and data exfiltration methods.
However, Fortinet also highlighted the challenges faced by AI, including issues like hallucination, extrapolation, and omissions in the analysis. Nevertheless, the potential of AI in cybersecurity is clear, offering significant improvements in how malware is detected and neutralized.
Evasive Panda (also known as DaggerFly) is a Chinese cyber-espionage group that has been active since 2012. This group has been behind a series of highly targeted attacks, including novel macOS backdoor deployments, supply chain attacks via ISPs in Asia, and a four-month-long espionage campaign against U.S. organizations.
Their operations typically target organizations with significant geopolitical value, allowing them to conduct long-term intelligence-gathering missions. This attack against SSH daemons marks a new chapter in their sophisticated and evolving tactics. The ability to exploit network appliances for persistent control is a testament to the advanced capabilities of this cyber-espionage group.
Fortunately, Fortinet's FortiGuard AntiVirus service has already implemented defenses against ELF/Ssh;dinjector.A!tr. The threat is detected under the signatures ELF/Ssh.dinjec.tor.A!tr and Linux/Agent.AC;Q!tr, ensuring that affected users and organizations are already protected against the attack.
Organizations are urged to take the following actions to mitigate risks:

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation