Modified PRISM backdoor used in new attacks

Linux ELF executables used to avoid detection by antivirus products.

Security researchers have found a cluster of Linux ELF executables with low or zero antivirus detections in VirusTotal. 

Researchers at AT&T Alien Labs identified these executables as modifications of the open source PRISM backdoor used by multiple threat actors in various campaigns. 

Researchers said in further investigations of the malware, they discovered several campaigns using these malicious executables have remained active and under the radar for over 3.5 years. 

“The oldest samples Alien Labs can attribute to one of the actors date from the 8th of November 2017,” researchers said.

One of the variants found was dubbed WaterDrop. According to researchers, it uses an easily identifiable user agent string “agent-waterdropx” for the HTTP-based command-and-control (C&C) communications, and it reaches to subdomains of the waterdropx[.]com domain.

“While all these may seem to be fairly obvious indicators, the threat actor behind this variant has managed to maintain a zero or almost-zero detection score in VirusTotal for its samples and domains. This is most likely due to their campaigns being fairly small in size. The waterdropx[.]com domain was registered to the current owner on August 18, 2017, and as of August 10, 2021, it was still online,” said researchers.

Researchers also found samples tagged as “PRISM v1” that they attributed to the same threat actor because it used the same C&C domain.

Related Resource

Preparing for AI-enabled cyber attacks

MIT technology review insights

AI icon against a laptop icon on a yellow background - whitepaper from DarktraceDownload now

“Compared to the public PRISM, this version introduces the creation of a child process that constantly queries the C&C server for commands to execute,” they said.

There were two other versions of PRISM: v2.2 and v3. PRISM v2.2 introduced XOR encryption, such as the BASH command strings, to obfuscate sensitive data. PRISM v3 is identical to v2.2 with one exception: Clients include a bot ID for identification purposes.

Researchers said they had observed other actors using the PRISM backdoor for their operations.

“However, in the majority of these cases, the actor(s) use the original PRISM backdoor as is, without performing any major modifications. This fact, combined with the open-source nature of the backdoor, impedes us from properly tracking the actor(s) activity,” they added.

Researchers say PRISM is an open source and simplistic backdoor with clearly identifiable traffic and easy-to-detect binaries. Despite its simplicity, “PRISM’s binaries have been undetected until now, and its C&C server has remained online for more than 3.5 years. This shows that while bigger campaigns that receive more attention are usually detected within hours, smaller ones can slip through.”

Researchers added that they expected the adversaries to remain active and conduct operations with this toolset and infrastructure.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Researchers disclose top flaws abused by ransomware gangs
ransomware

Researchers disclose top flaws abused by ransomware gangs

20 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021
How do hackers choose their targets?
hacking

How do hackers choose their targets?

17 Sep 2021
Owner of DDoS for hire sites found guilty of hacking offences
distributed denial of service (DDOS)

Owner of DDoS for hire sites found guilty of hacking offences

17 Sep 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
The technology powering the future of shopping
Technology

The technology powering the future of shopping

16 Sep 2021
Citrix mulling potential sale after tumultuous 2021
mergers and acquisitions

Citrix mulling potential sale after tumultuous 2021

15 Sep 2021