The UK’s National Cyber Security Centre (NCSC) has published technical documentation of a sophisticated network backdoor being planted on hacked Sophos XG firewall devices and warned that the malware was designed for a broader range of Linux-based network devices.
The backdoor, called Pygmy Goat, uses multiple stealthy techniques to maintain persistence and avoid detection and is capable of disguising malicious traffic as legitimate SSH connections.
The backdoor also makes use of encrypted ICMP packets for covert communication and is clearly the work of a very skilled, professional hacking operator.
“While not containing any novel techniques, Pygmy Goat is quite sophisticated in how it enables the actor to interact with it on demand, while blending in with normal network traffic. The code itself is clean, with short, well-structured functions aiding future extensibility, and errors are checked throughout, suggesting it was written by a competent developer or developers,” the NCSC said.
The agency believes the malware was been designed to target a broader range of Linux-based network devices beyond just Sophos firewalls.
The agency said it observed Pygmy Goat malware using a fraudulent certificate masquerading as one from Fortinet, another oft-targeted major firewall vendor. This suggests the attackers may have initially developed the malware to target FortiGate devices before adapting it for Sophos systems, the agency said.
According to the report, the network backdoor has multiple methods of comms wake-up, as well as two separate remote shells that would likely be considered unnecessary effort if the malware had been developed for a specific device.
It said Pygmy Goat does not rely on any device-specific external libraries and will run on a base Ubuntu distribution.
The agency pointed to recent reporting from Mandiant showing attacks on FortiGate devices with similar TTPs to Pygmy Goat, such as an encrypted ICMP packet containing C2 information being used to establish a reverse SSL connection.
The exposure comes less than 24 hours after Sophos admitted to using custom implants to spy on Chinese government-backed hackers targeting zero-day flaws in its products.
The Thoma Bravo-owned Sophos described fending off multiple campaigns beginning as early as 2018, each building on the previous in sophistication and aggression. The attacks included a successful hack of Sophos’ Cyberoam satellite office in India, where attackers gained initial access through an overlooked wall-mounted display unit. An investigation quickly concluded that the Sophos facility hack was the work of an “adaptable adversary capable of escalating capability as needed to achieve their objectives.”
By 2020, Sophos said its threat hunting teams found devices under the control of the Chinese hackers. After legal consultation, the company said it deployed a “targeted implant” to monitor a cluster of attacker-controlled devices.
“The additional visibility quickly allowed [the Sophos research team] to identify a previously unknown and stealthy remote code execution exploit,” the company said.
After initial access, Sophos said it tracked the attackers breaking into devices to deploy payloads for persistence, including the Gh0st remote access Trojan (RAT), a previously unseen rootkit, and adaptive control mechanisms designed to disable hotfixes and avoid automated patches.
Related: Sophos Used Custom Implants to Surveil Chinese Hackers
Related: Volexity Blames ‘DriftingCloud’ APT For Sophos Firewall Zero-Day
Related: Sophos Warns of Attacks Exploiting Recent Firewall Vulnerability
Related: CISA Warns of Attacks Exploiting Sophos Web Appliance Vulnerability
