IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Modified PRISM backdoor used in new attacks

Linux ELF executables used to avoid detection by antivirus products.

Security researchers have found a cluster of Linux ELF executables with low or zero antivirus detections in VirusTotal. 

Researchers at AT&T Alien Labs identified these executables as modifications of the open source PRISM backdoor used by multiple threat actors in various campaigns. 

Researchers said in further investigations of the malware, they discovered several campaigns using these malicious executables have remained active and under the radar for over 3.5 years. 

“The oldest samples Alien Labs can attribute to one of the actors date from the 8th of November 2017,” researchers said.

One of the variants found was dubbed WaterDrop. According to researchers, it uses an easily identifiable user agent string “agent-waterdropx” for the HTTP-based command-and-control (C&C) communications, and it reaches to subdomains of the waterdropx[.]com domain.

“While all these may seem to be fairly obvious indicators, the threat actor behind this variant has managed to maintain a zero or almost-zero detection score in VirusTotal for its samples and domains. This is most likely due to their campaigns being fairly small in size. The waterdropx[.]com domain was registered to the current owner on August 18, 2017, and as of August 10, 2021, it was still online,” said researchers.

Researchers also found samples tagged as “PRISM v1” that they attributed to the same threat actor because it used the same C&C domain.

Related Resource

Preparing for AI-enabled cyber attacks

MIT technology review insights

AI icon against a laptop icon on a yellow background - whitepaper from DarktraceDownload now

“Compared to the public PRISM, this version introduces the creation of a child process that constantly queries the C&C server for commands to execute,” they said.

There were two other versions of PRISM: v2.2 and v3. PRISM v2.2 introduced XOR encryption, such as the BASH command strings, to obfuscate sensitive data. PRISM v3 is identical to v2.2 with one exception: Clients include a bot ID for identification purposes.

Researchers said they had observed other actors using the PRISM backdoor for their operations.

“However, in the majority of these cases, the actor(s) use the original PRISM backdoor as is, without performing any major modifications. This fact, combined with the open-source nature of the backdoor, impedes us from properly tracking the actor(s) activity,” they added.

Researchers say PRISM is an open source and simplistic backdoor with clearly identifiable traffic and easy-to-detect binaries. Despite its simplicity, “PRISM’s binaries have been undetected until now, and its C&C server has remained online for more than 3.5 years. This shows that while bigger campaigns that receive more attention are usually detected within hours, smaller ones can slip through.”

Researchers added that they expected the adversaries to remain active and conduct operations with this toolset and infrastructure.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

What is open source?
Software

What is open source?

30 Jun 2022
Best free malware removal tools 2022
Security

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022
What is shoulder surfing?
social engineering

What is shoulder surfing?

10 Jun 2022

Most Popular

Raspberry Pi launches next-gen Pico W microcontroller with networking support
Hardware

Raspberry Pi launches next-gen Pico W microcontroller with networking support

1 Jul 2022
Xerox CEO John Visentin dies unexpectedly aged 59
Careers & training

Xerox CEO John Visentin dies unexpectedly aged 59

30 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022