Chinese APT group Velvet Ant deployed custom backdoor on Cisco Nexus switches



The attack demonstrates the sophistication of Velvet Ant’s tactics

Based on evidence found by Sygnia on a Cisco Nexus switch compromised by Velvet Ant, the attackers first exploited the command injection flaw in order to create a file with base64-encoded content. They then issued commands to decode the contents and save it to a file called ufdm.so. On Linux systems .so files are shared object libraries that are loaded by other processes, while ufdm is the name of a legitimate file on NX-OS.

After creating their malicious library, the attackers replaced the legitimate ufdm file with curl, another legitimate Linux tool for downloading files and added their ufdm.so library to the LD_PRELOAD environment variable which can be used to override the location of standard libraries. They then executed the now fake/root/ufdm process, which loaded their malicious ufdm.so library into memory.

After running some commands to make sure the process is running their implant is creating the correct network connections, they delete the renamed ufdm and ufdm.so files from disk in order to cover their tracks.

Recent Articles

Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here