Security News > 2023 > March > Attack campaign on edge appliance: undetected since 2021 and resists firmware update
The two scripts were set up to activate one another in case the other wasn'tt already running, which created a backup instance of the primary malware process and thereby enhanced its resilience.
A bash script named "GeoBotnetd" found on an infected device checks every 10 seconds for a firmware upgrade to appear in /cf/FIRMWARE/NEW/INITRD.GZ. If that's the case, the script will backup the file, unzip it, mount it, and then copy over the whole package of malware files.
Mandiant researchers indicate that this technique is consistent with another attack campaign they have analyzed that supported key Chinese government priorities.
While the primary vector of infection stays unknown in this attack campaign, Mandiant researchers indicate that the malware or a predecessor of it was likely deployed in 2021 and that the threat actor probably retained access, even through multiple firmware updates.
Because the sole purpose of the malware is to steal user credentials, it is strongly suspected that the attack campaign follows cyber espionage goals.
Mandiant insists on the fact that developing malware for a managed appliance is no trivial task, as vendors do not generally offer direct access to the operating system or even to the filesystem of such devices.