IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Modified PRISM backdoor used in new attacks

Linux ELF executables used to avoid detection by antivirus products.

Security researchers have found a cluster of Linux ELF executables with low or zero antivirus detections in VirusTotal. 

Researchers at AT&T Alien Labs identified these executables as modifications of the open source PRISM backdoor used by multiple threat actors in various campaigns. 

Researchers said in further investigations of the malware, they discovered several campaigns using these malicious executables have remained active and under the radar for over 3.5 years. 

“The oldest samples Alien Labs can attribute to one of the actors date from the 8th of November 2017,” researchers said.

One of the variants found was dubbed WaterDrop. According to researchers, it uses an easily identifiable user agent string “agent-waterdropx” for the HTTP-based command-and-control (C&C) communications, and it reaches to subdomains of the waterdropx[.]com domain.

“While all these may seem to be fairly obvious indicators, the threat actor behind this variant has managed to maintain a zero or almost-zero detection score in VirusTotal for its samples and domains. This is most likely due to their campaigns being fairly small in size. The waterdropx[.]com domain was registered to the current owner on August 18, 2017, and as of August 10, 2021, it was still online,” said researchers.

Researchers also found samples tagged as “PRISM v1” that they attributed to the same threat actor because it used the same C&C domain.

Related Resource

Preparing for AI-enabled cyber attacks

MIT technology review insights

AI icon against a laptop icon on a yellow background - whitepaper from DarktraceDownload now

“Compared to the public PRISM, this version introduces the creation of a child process that constantly queries the C&C server for commands to execute,” they said.

There were two other versions of PRISM: v2.2 and v3. PRISM v2.2 introduced XOR encryption, such as the BASH command strings, to obfuscate sensitive data. PRISM v3 is identical to v2.2 with one exception: Clients include a bot ID for identification purposes.

Researchers said they had observed other actors using the PRISM backdoor for their operations.

“However, in the majority of these cases, the actor(s) use the original PRISM backdoor as is, without performing any major modifications. This fact, combined with the open-source nature of the backdoor, impedes us from properly tracking the actor(s) activity,” they added.

Researchers say PRISM is an open source and simplistic backdoor with clearly identifiable traffic and easy-to-detect binaries. Despite its simplicity, “PRISM’s binaries have been undetected until now, and its C&C server has remained online for more than 3.5 years. This shows that while bigger campaigns that receive more attention are usually detected within hours, smaller ones can slip through.”

Researchers added that they expected the adversaries to remain active and conduct operations with this toolset and infrastructure.

Featured Resources

AI for customer service

IBM Watson Assistant solves customer problems the first time

View now

Solve cyber resilience challenges with storage solutions

Fundamental capabilities of cyber-resilient IT infrastructure

Free Download

IBM FlashSystem 5000 and 5200 for mid-market enterprises

Manage rapid data growth within limited IT budgets

Free download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

2022 IBM's Security X-Force cloud threat landscape report
Whitepaper

2022 IBM's Security X-Force cloud threat landscape report

22 Nov 2022
2022 Magic quadrant for Security Information and Event Management (SIEM)
Whitepaper

2022 Magic quadrant for Security Information and Event Management (SIEM)

22 Nov 2022
Seven realities facing SMBs as they enter a future of increased cyber threats
Whitepaper

Seven realities facing SMBs as they enter a future of increased cyber threats

21 Nov 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
Windows users now able to run Linux apps and distros natively
Microsoft Windows

Windows users now able to run Linux apps and distros natively

24 Nov 2022