Pygmy Goat Malware: A Sophisticated Network Device Backdoor Targets Firewalls

In a recent report by the National Cyber Security Centre (NCSC), analysts detailed a new malware threat targeting network devices, dubbed “Pygmy Goat.” This backdoor malware, discovered on Sophos XG firewall devices, demonstrates sophisticated capabilities to evade detection, capture sensitive data, and maintain control over compromised devices.

According to the report, Pygmy Goat “uses LD_PRELOAD to get loaded into /bin/sshd and hook its accept function,” allowing it to intercept incoming SSH connections with minimal disruption to regular network traffic.

Pygmy Goat employs multiple layers of stealth. One notable feature is its ability to listen for specific “magic bytes” in SSH connections, enabling it to establish communication with a command-and-control (C2) server. It also uses raw ICMP sockets to trigger a connection back to its operators, making it challenging for standard network monitoring tools to detect. The report highlights that the malware “listens on a raw socket for incoming ICMP packets to trigger a connect back” to its C2 server.

Once activated, Pygmy Goat can execute several commands remotely, including spawning shells, capturing network packets, and creating reverse SOCKS proxies. “Pygmy Goat has a number of commands it can execute according to a command ID byte,” NCSC noted, explaining the malware’s adaptability for various malicious purposes, from remote access to data exfiltration.

While Pygmy Goat has only been observed on Sophos XG firewalls, the report suggests it may be adaptable to other Linux-based network devices. The embedded CA certificate, masquerading as a Fortinet certificate, hints that Pygmy Goat’s developers may have initially targeted Fortinet devices, expanding its reach across different platforms over time. “The embedded Root CA Certificate claims to have been issued by FortiGate, Fortinet Ltd.,” NCSC wrote, pointing to the potential origins of this malware.

The NCSC has advised organizations to review security configurations and monitor for indicators of compromise, including the presence of specific files and unusual network behavior associated with ICMP port knocking and suspicious SSH handshakes.

Related Posts:

• China Targets U.S. Tech Startups through Investments, NCSC Reveals
• UK National Cyber Security Centre: Do not use ZTE equipment and services in the telecommunications industry
• Beyond Firewalls: NCSC Explores Cyber Deception’s Potential

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy