ELF_SNAKSO.A

This malware targets Linux OS and has the capability to hide files, processes, and folders among others.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

NOTES:

It adds an entry to /etc/rc.local to ensure its automatic execution in every system startup.

It retrieve kernel symbols and write them to the following file:

• /.kallsyms_tmp

It then deletes the said file afterwards.

It hooks the following functions to hide files:

• filldir
• filldir64
• vfs_read
• vfs_readdir

It attempts to hide the following files to hide its presence on the affected system:

• zzzzzz_command_http_inject_for_module_init
• zzzzzz_write_command_in_file
• module_init.ko
• sysctl.conf
• /usr/local/hide/first_hide_file
• /ah34df94987sdfgDR6JH51J9a9rh191jq97811

It also hides the following threads to make its execution not visible:

• backconnect_command_thread_name
• new_backconnect_command_thread_name
• read_command_http_inject_thread_name
• write_startup_command_thread_name
• write_se_linux_command_thread_name
• get_http_inj_from_server_thread_name

It is capable of hiding the following:

• Files and folders
• Net connections/packets
• Processes
• Startup modules

It modifies the function tcp_sendmsg with its new function to inject iFrames into the outgoing TCP packets.