The assault demonstrates the sophistication of Velvet Ant’s ways
Primarily based on proof discovered by Sygnia on a Cisco Nexus swap compromised by Velvet Ant, the attackers first exploited the command injection flaw with the intention to create a file with base64-encoded content material. They then issued instructions to decode the contents and reserve it to a file known as ufdm.so. On Linux programs .so information are shared object libraries which are loaded by different processes, whereas ufdm is the title of a reputable file on NX-OS.
After creating their malicious library, the attackers changed the reputable ufdm file with curl, one other reputable Linux instrument for downloading information and added their ufdm.so library to the LD_PRELOAD surroundings variable which can be utilized to override the situation of normal libraries. They then executed the now faux/root/ufdm course of, which loaded their malicious ufdm.so library into reminiscence.
After operating some instructions to ensure the method is operating their implant is creating the right community connections, they delete the renamed ufdm and ufdm.so information from disk with the intention to cowl their tracks.
