The OVERSTEP backdoor, written in C, is particularly designed for SonicWall SMA 100 collection home equipment. It injects itself into the reminiscence of different processes by way of the /and many others/ld.so.preload file after which hijacks customary file system features comparable to open, open64, readdir, readdir64, and write. This enables it to cover its elements on the system.
The backdoor’s primary function is to steal passwords and supply attackers with a reverse shell on the system, by way of which they’ll execute further shell instructions.
“In our investigations, GTIG noticed beaconing site visitors from compromised home equipment, however we didn’t determine notable post-compromise actions,” the researchers wrote. “The actor’s success in hiding their tracks is essentially because of OVERSTEP’s functionality to selectively delete log entries from httpd.log, http_request.log, and inotify.log. This anti-forensic measure, mixed with an absence of shell historical past on disk, considerably reduces visibility into the actor’s secondary targets.”
