Updated PRISM Backdoor DiscoveredResearchers: Malicious Executables Remained Under the Radar for Over 3 Years
Security researchers at AT&T Alien Labs say they've discovered a cluster of Linux ELF executables, identified as modifications of the open-source PRISM backdoor, that attackers have been using in several campaigns for more than three years.
The researchers note that these executables generally are not being detected in VirusTotal, which analyzes suspicious files and URLs to detect malware.
"PRISM is an open-source, simplistic and straightforward backdoor," the researchers note. "Its traffic is clearly identifiable, and its binaries are easy to detect. Despite this, PRISM’s binaries have been undetected until now, and its command-and-control server has remained online for more than 3.5 years. This shows that while bigger campaigns that receive more attention are usually detected within hours, smaller ones can slip through."
One of the PRISM variants discovered is WaterDrop, which includes a function named xencrypt that performs XOR encryption with the hard-coded single-byte 0x1F key.
"Starting in version 7 of the WaterDrop variant, samples include the plain-text string “WaterDropx vX started”, where X is the integer version number. So far, we have observed versions 1, 2.2, and 3 still using the name PRISM. Versions 7, 9, and 12 are named WaterDropx," researchers note. "It also uses the easily identifiable User Agent string “agent-waterdropx” for the HTTP-based command and control communications, and it reaches to subdomains of the waterdropx[.]com domain."
Threat actors using Linux ELF executables have largely avoided detection in VirusTotal because their campaigns are fairly small, the researchers say.
The waterdropx[.]com domain was registered to the current owner on Aug. 18, 2017, and as of Aug. 10, 2021, it was still online.
Besides the base PRISM features, researchers say WaterDrop introduces XOR encryption for the configuration and an additional process that regularly queries the C2 server for commands to execute. This communication with the C2 server is generally a plain-text HTTP, and it is performed via the curl command.
Curl command provides library and command-line tools for transferring data using various network protocols.
"In all the versions Alien Labs has observed, the option -A “agent-waterdropx” is used, meaning the User Agent header will remain constant across versions. We have also observed some samples of this variant that load a Kernel Module if the process is executed with root privileges," the researchers note.
Versions of PRISM
Researchers found malware samples tagged as PRISM v1, which they attribute with high confidence to the same threat actor that is behind the other Linux ELF executable PRISM variants they found, the variant all use the same C2 domain (waterdropx[.]com). The samples also share distinctive features such as the agent-waterdropx User Agent string.
"Compared to the public PRISM, this version introduces the creation of a child process that constantly queries the C2 server for commands to execute. PRISM v1 does not feature any kind of obfuscation, packing, or encryption of the binaries," the researchers note.
PRISM v2.2 and PRISM v3 are almost identical; both use BASH command strings to obfuscate sensitive data. "PRISM v3 is identical to v2.2, with one exception: PRISM v3 clients include a bot id for identification purposes. This bot id is saved to /etc/.xid and used in the malware beacon," researchers claim.
AT&T Alien Labs researchers say that in addition to the threat actor using the newly discovered Linux ELF executable PRISM variants, they have observed other actors using the original PRISM backdoor without performing any major modifications.
"This fact, combined with the open-source nature of the backdoor, impedes us from properly tracking the actor(s) activity," researchers note. "Alien Labs expects the adversaries to remain active and conduct operations with this toolset and infrastructure. We will continue to monitor and report any noteworthy findings."