Security researchers have found a cluster of Linux ELF executables with low or zero antivirus detections in VirusTotal.
Researchers at AT&T Alien Labs identified these executables as modifications of the open source PRISM backdoor used by multiple threat actors in various campaigns.
Researchers said in further investigations of the malware, they discovered several campaigns using these malicious executables have remained active and under the radar for over 3.5 years.
“The oldest samples Alien Labs can attribute to one of the actors date from the 8th of November 2017,” researchers said.
One of the variants found was dubbed WaterDrop. According to researchers, it uses an easily identifiable user agent string “agent-waterdropx” for the HTTP-based command-and-control (C&C) communications, and it reaches to subdomains of the waterdropx[.]com domain.
“While all these may seem to be fairly obvious indicators, the threat actor behind this variant has managed to maintain a zero or almost-zero detection score in VirusTotal for its samples and domains. This is most likely due to their campaigns being fairly small in size. The waterdropx[.]com domain was registered to the current owner on August 18, 2017, and as of August 10, 2021, it was still online,” said researchers.
Researchers also found samples tagged as “PRISM v1” that they attributed to the same threat actor because it used the same C&C domain.
“Compared to the public PRISM, this version introduces the creation of a child process that constantly queries the C&C server for commands to execute,” they said.
There were two other versions of PRISM: v2.2 and v3. PRISM v2.2 introduced XOR encryption, such as the BASH command strings, to obfuscate sensitive data. PRISM v3 is identical to v2.2 with one exception: Clients include a bot ID for identification purposes.
Researchers said they had observed other actors using the PRISM backdoor for their operations.
“However, in the majority of these cases, the actor(s) use the original PRISM backdoor as is, without performing any major modifications. This fact, combined with the open-source nature of the backdoor, impedes us from properly tracking the actor(s) activity,” they added.
Researchers say PRISM is an open source and simplistic backdoor with clearly identifiable traffic and easy-to-detect binaries. Despite its simplicity, “PRISM’s binaries have been undetected until now, and its C&C server has remained online for more than 3.5 years. This shows that while bigger campaigns that receive more attention are usually detected within hours, smaller ones can slip through.”
Researchers added that they expected the adversaries to remain active and conduct operations with this toolset and infrastructure.
