Apt Encounters of the Third Kind
7 hours ago
- #Incident Response
- #Malware Analysis
- #APT
- A security assessment for a client turned into an incident response involving APT activity.
- The client's network used custom Linux gateways with a monolithic kernel and a static Go application for reverse gateway functionality.
- Anomalies were discovered in NFS traffic, including altered strings ('open id:' became 'open-id:') and extra data appended to file reads.
- Malware was found on the NFS server, including a malicious libfsalvfs.so with covert channels for data exfiltration and command and control.
- The malware included self-destruct mechanisms, command execution, and payload loading via pseudo-files in a .snapshot directory.
- Forensics revealed the kernel was patched by an attacker, likely via a compromised developer's laptop, while the Go app remained secure due to CI/CD protections.
- A technique was discovered to hook Go binaries by injecting trampoline code into the net/http.(*connReader).Read function.
- The attacker exfiltrated PII from decrypted HTTPS traffic using a multi-stage payload delivered through NFS covert channels.
- The client opted to publish findings to deter the attackers, with more details to come in future posts.