Modified PRISM backdoor used in new attacks

Linux ELF executables used to avoid detection by antivirus products.

Security researchers have found a cluster of Linux ELF executables with low or zero antivirus detections in VirusTotal. 

Researchers at AT&T Alien Labs identified these executables as modifications of the open source PRISM backdoor used by multiple threat actors in various campaigns. 

Researchers said in further investigations of the malware, they discovered several campaigns using these malicious executables have remained active and under the radar for over 3.5 years. 

“The oldest samples Alien Labs can attribute to one of the actors date from the 8th of November 2017,” researchers said.

One of the variants found was dubbed WaterDrop. According to researchers, it uses an easily identifiable user agent string “agent-waterdropx” for the HTTP-based command-and-control (C&C) communications, and it reaches to subdomains of the waterdropx[.]com domain.

“While all these may seem to be fairly obvious indicators, the threat actor behind this variant has managed to maintain a zero or almost-zero detection score in VirusTotal for its samples and domains. This is most likely due to their campaigns being fairly small in size. The waterdropx[.]com domain was registered to the current owner on August 18, 2017, and as of August 10, 2021, it was still online,” said researchers.

Researchers also found samples tagged as “PRISM v1” that they attributed to the same threat actor because it used the same C&C domain.

Related Resource

Preparing for AI-enabled cyber attacks

MIT technology review insights

AI icon against a laptop icon on a yellow background - whitepaper from DarktraceDownload now

“Compared to the public PRISM, this version introduces the creation of a child process that constantly queries the C&C server for commands to execute,” they said.

There were two other versions of PRISM: v2.2 and v3. PRISM v2.2 introduced XOR encryption, such as the BASH command strings, to obfuscate sensitive data. PRISM v3 is identical to v2.2 with one exception: Clients include a bot ID for identification purposes.

Researchers said they had observed other actors using the PRISM backdoor for their operations.

“However, in the majority of these cases, the actor(s) use the original PRISM backdoor as is, without performing any major modifications. This fact, combined with the open-source nature of the backdoor, impedes us from properly tracking the actor(s) activity,” they added.

Researchers say PRISM is an open source and simplistic backdoor with clearly identifiable traffic and easy-to-detect binaries. Despite its simplicity, “PRISM’s binaries have been undetected until now, and its C&C server has remained online for more than 3.5 years. This shows that while bigger campaigns that receive more attention are usually detected within hours, smaller ones can slip through.”

Researchers added that they expected the adversaries to remain active and conduct operations with this toolset and infrastructure.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Russia's "politically motivated" REvil raid could be used as leverage, experts warn
ransomware

Russia's "politically motivated" REvil raid could be used as leverage, experts warn

17 Jan 2022
Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp
phishing

Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp

21 Dec 2021
Five things to consider before choosing an MFA solution
Security

Five things to consider before choosing an MFA solution

17 Dec 2021
Australia and US sign CLOUD Act data-sharing deal to support criminal investigations
cyber crime

Australia and US sign CLOUD Act data-sharing deal to support criminal investigations

16 Dec 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022