HomeVulnerabilityChinese language APT group Velvet Ant deployed customized backdoor on Cisco Nexus...

Chinese language APT group Velvet Ant deployed customized backdoor on Cisco Nexus switches

The assault demonstrates the sophistication of Velvet Ant’s ways

Primarily based on proof discovered by Sygnia on a Cisco Nexus swap compromised by Velvet Ant, the attackers first exploited the command injection flaw with the intention to create a file with base64-encoded content material. They then issued instructions to decode the contents and reserve it to a file known as ufdm.so. On Linux programs .so information are shared object libraries which are loaded by different processes, whereas ufdm is the title of a reputable file on NX-OS.

After creating their malicious library, the attackers changed the reputable ufdm file with curl, one other reputable Linux instrument for downloading information and added their ufdm.so library to the LD_PRELOAD surroundings variable which can be utilized to override the situation of normal libraries. They then executed the now faux/root/ufdm course of, which loaded their malicious ufdm.so library into reminiscence.

After operating some instructions to ensure the method is operating their implant is creating the right community connections, they delete the renamed ufdm and ufdm.so information from disk with the intention to cowl their tracks.

See also  Canada wakes as much as China, Russia, Iran risk to mental property
- Advertisment -spot_img
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular