Executive Summary The “Pygmy Goat” malware is a sophisticated network device backdoor discovered on Sophos XG firewall devices. It leverages the LD_PRELOAD environment variable to inject itself into the SSH daemon (/bin/sshd), allowing it to hook the accept function and monitor incoming traffic for specific patterns. This malware is capable of establishing a remote shell, capturing packets, scheduling cron tasks, and creating a reverse SOCKS proxy server.
Introduction “Pygmy Goat” is a native x86-32 ELF shared object designed to provide backdoor access to network devices. It was first identified on Sophos XG firewall devices, where it uses the LD_PRELOAD environment variable to load itself into the SSH daemon. This technique allows the malware to intercept and manipulate SSH connections, making it difficult to detect and remove.
Persistence Mechanism The malware achieves persistence by modifying start-up scripts to set the LD_PRELOAD environment variable, ensuring that libsophos.so is loaded into the SSH daemon at system start. This allows the malware to hook the accept function and monitor incoming traffic for specific SSH protocol announcements.
Command and Control (C2) Communication “Pygmy Goat” uses a raw ICMP socket to listen for incoming packets containing an AES-encrypted TCP callback IP and port. It can also use the hooked accept function to search for a sequence of magic bytes in SSH connections. Once a connection is established, the malware uses a hardcoded CA certificate masquerading as Fortinet to establish a TLS connection with the C2 server.
Functionality Remote Shell: Allows the attacker to execute commands on the compromised device. Packet Capture: Enables the attacker to capture network traffic. Cron Tasks: Allows the attacker to schedule tasks on the compromised device. Reverse SOCKS Proxy: Creates a proxy server to route traffic through the compromised device.
Detection and Mitigation Detection of “Pygmy Goat” can be challenging due to its use of LD_PRELOAD and its ability to masquerade as legitimate SSH traffic. However, monitoring for unusual modifications to start-up scripts and unexpected network traffic patterns can help identify compromised devices. Mitigation involves removing the malicious libsophos.so file, restoring original start-up scripts, and updating firewall firmware to the latest version.
Conclusion “Pygmy Goat” represents a significant threat to network security due to its sophisticated techniques for persistence, evasion, and functionality. Organisations using Sophos XG firewall devices should take immediate steps to detect and mitigate this malware to protect their networks from potential compromise.
Illegitimate invoices distributed through DocuSign’s API
What is DocuSign? DocuSign is an electronic signature software platform that allows users to sign, submit, receive and manage their documentation digitally. Envelopes are electronic documents. The Envelopes API allows users to draft and subsequently send an envelope with documents, recipients, and tabs. The purpose of the API is to help automate the document signing process.
How does this happen? A threat actor sets up a legitimate, paid DocuSign account, which allows them to modify templates and use the API directly. The attacker then deploys a meticulously crafted template that imitates e-sign document requests from reputable companies like PayPal and Norton. The invoices might be priced accurately, with extra charges like activation fees in an attempt to appear legitimate.
If the document is signed by the recipient, the attacker is then able to send it to the finance department through Docusign or request payment outside of Docusign. As the invoices are sent through Docusign and don’t contain any malicious attachments or links they can bypass spam and phishing filters as they appear legitimate.
This campaign differs to the type of phishing usually observed. Attackers will ordinarily attempt to spoof emails from legitimate and trusted organisations. Whereas in this case, they are coming directly from the trusted company. Not only this, but the envelope’s API also allows attackers to distribute these illegitimate invoices on a large scale, and there has been a notable increase in this activity over the past several months.
The Human Risk Management module from NormCyber can educate users on how to spot a likely malicious email. With this education, not only would users be more aware of the tactics used by attackers but also the content will enable them to exercise caution when clicking on suspicious emails and links. It is also recommended to take a minute to assess an email or message before responding and never give any remote access to your device.
Phishing Campaigns Revive Legacy Exploit to Deliver Stealthy Remcos RAT
A New Threat Emerges A recent threat campaign has emerged, with attackers exploiting the known Microsoft Office vulnerability CVE-2017-0199 to deploy a file-less variant of the Remcos Remote Access Trojan (RAT) directly into system memory. This vulnerability, despite being identified years ago, allows threat actors to evade traditional security defences, bypassing file-based detection methods and establishing a persistent, hidden presence on the target system.
The campaign begins with phishing emails carrying Excel attachments that appear encrypted or protected, designed to lure users into opening them.
Upon opening the document, the embedded OLE object within the Excel file activates the CVE-2017-0199 exploit to download a malicious HTML Application (HTA) file from a remote URL. This HTA file triggers a series of PowerShell commands that are encoded in base64 to evade detection. The PowerShell commands execute a VBScript, initiating further PowerShell scripts that eventually download an image file, which conceals the final Remcos RAT payload. The image file’s code is encoded and obfuscated, running entirely within memory, ensuring minimal traceability on the system.
This multi-layered approach is a hallmark of sophisticated cyber operations, allowing attackers to maintain persistence on the compromised system without writing any files to disk. This makes detection and removal exceptionally challenging for traditional security solutions that rely on file-based detection.
Threat actors behind this campaign are targeting sectors with high-value data and critical infrastructure, including government, manufacturing, technology, and banking. The campaign has seen activity in regions such as the United States, Japan, Belgium, and South Korea. By focusing on these industries, attackers likely aim to access valuable data, disrupt critical operations, or establish long-term control over key systems.
This attack mirrors tactics seen in other recent malware campaigns, which use similar techniques to deliver different types of malware, including RevengeRAT, SnakeKeylogger, GuLoader, AgentTesla, and FormBook. All these campaigns involve weaponising everyday documents, such as Excel attachments, to execute fileless malware within the system’s memory. This approach minimises detectable footprints, complicating detection and response efforts.
Key techniques employed include Template Injection (T1221) and Visual Basic Scripting (T1059.005), as identified by MITRE ATT&CK. By deploying these techniques, attackers leverage legitimate software components in the attack chain, reducing the chances of detection by security tools.
This resurgence of legacy vulnerabilities, like CVE-2017-0199, remain potent tools in the hands of sophisticated attackers. By using fileless techniques and exploiting seemingly routine documents, threat actors evade traditional defences and achieve persistent control over critical systems.
It underscores the importance of proactive patching and continual monitoring to defend against increasingly complex threats. Staying ahead of these evolving tactics is essential as attackers find new ways to weaponise old exploits, turning trusted applications into delivery mechanisms for advanced, hard-to-detect malware.
By utilising NormCyber’s Vulnerability Patch Management module, customers can ensure they are protected against vulnerabilities disclosed via vendor bug bounty programs.
