A stealthy network backdoor found on hacked Sophos XG firewall devices is programmed to work on a broader range of Linux-based devices.
November 2, 2024 By Ryan Naraine
The UK’s National Cyber Security Centre (NCSC) has published technical documentation of a sophisticated network backdoor being planted on hacked Sophos XG firewall devices and warned that the malware was designed for a broader range of Linux-based network devices.
The backdoor, called Pygmy Goat, uses multiple stealthy techniques to maintain persistence and avoid detection and is capable of disguising malicious traffic as legitimate SSH connections.
The backdoor also makes use of encrypted ICMP packets for covert communication and is clearly the work of a very skilled, professional hacking operator.
“While not containing any novel techniques, Pygmy Goat is quite sophisticated in how it enables the actor to interact with it on demand, while blending in with normal network traffic. The code itself is clean, with short, well-structured functions aiding future extensibility, and errors are checked throughout, suggesting it was written by a competent developer or developers,” the NCSC said.