How ELF/Sshdinjector.A!tr works
ELF/Sshdinjector.A!tr is a collection of malware that can be injected into the secure shell daemon (sshd) program, which supports encrypted communications between two untrusted hosts over an insecure network or internet. This allows attackers to perform a broad range of actions without users’ knowledge. Fortinet has not revealed how the devices are initially breached.
The attack uses several binary files containing harmful code. An initial “dropper” checks if the device is already compromised by searching for a specific file — /bin/lsxxxssswwdd11vv, containing the word “WATERDROP” — and checking whether it has root access (the highest level of access permissions).
If the device isn’t already infected, the malware drops several malicious binaries, including an SSH library, which communicates with a remote bot master, or command and control (C2) server. The C2 instructs the malware to gather information, monitor processes, steal credentials, and execute remote commands.
