Pygmy Goat Malware: A Sophisticated Network Device Backdoor Targets Firewalls
In a recent report by the National Cyber Security Centre (NCSC), analysts detailed a new malware threat targeting network devices, dubbed “Pygmy Goat.” This backdoor malware, discovered on Sophos XG firewall devices, demonstrates sophisticated capabilities to evade detection, capture sensitive data, and maintain control over compromised devices.
According to the report, Pygmy Goat “uses LD_PRELOAD to get loaded into /bin/sshd and hook its accept function,” allowing it to intercept incoming SSH connections with minimal disruption to regular network traffic.
Pygmy Goat employs multiple layers of stealth. One notable feature is its ability to listen for specific “magic bytes” in SSH connections, enabling it to establish communication with a command-and-control (C2) server. It also uses raw ICMP sockets to trigger a connection back to its operators, making it challenging for standard network monitoring tools to detect. The report highlights that the malware “listens on a raw socket for incoming ICMP packets to trigger a connect back” to its C2 server.
Once activated, Pygmy Goat can execute several commands remotely, including spawning shells, capturing network packets, and creating reverse SOCKS proxies. “Pygmy Goat has a number of commands it can execute according to a command ID byte,” NCSC noted, explaining the malware’s adaptability for various malicious purposes, from remote access to data exfiltration.
While Pygmy Goat has only been observed on Sophos XG firewalls, the report suggests it may be adaptable to other Linux-based network devices. The embedded CA certificate, masquerading as a Fortinet certificate, hints that Pygmy Goat’s developers may have initially targeted Fortinet devices, expanding its reach across different platforms over time. “The embedded Root CA Certificate claims to have been issued by FortiGate, Fortinet Ltd.,” NCSC wrote, pointing to the potential origins of this malware.
The NCSC has advised organizations to review security configurations and monitor for indicators of compromise, including the presence of specific files and unusual network behavior associated with ICMP port knocking and suspicious SSH handshakes.