Custom ‘Pygmy Goat’ Malware Targets Sophos Firewall in Government Network Attack

November 4, 2024

The UK's National Cyber Security Centre (NCSC) has released an analysis of a Linux malware called 'Pygmy Goat' that was created to infiltrate Sophos XG firewall devices. This malware was used in recent attacks by Chinese cyber threat actors.

The attacks were detailed in a series of reports by Sophos, named 'Pacific Rim', which covered five years of attacks on edge networking devices by the Chinese threat actors. The Pygmy Goat malware is a rootkit that closely mimics Sophos product file naming conventions. It is designed to compromise network devices with advanced persistence, evasion, and remote access mechanisms. The malware also features a complex code structure and execution paths.

While the NCSC report does not directly attribute the observed activity to any known threat actors, it highlights similar techniques, tactics, and procedures (TTPs) to the 'Castletap' malware, which Mandiant has linked to a Chinese nation-state actor. Sophos has also reported the same malware in its Pacific Rim report, stating that the rootkit was used in 2022 attacks linked to a Chinese threat actor known as 'Tstark'.

'X-Ops identified two copies of libsophos.so, both deployed using CVE-2022-1040 — one on a high-level government device and the other on a technology partner to the same government department,' Sophos shared. The 'Pygmy Goat' malware is an x86-32 ELF shared object ('libsophos.so') that provides threat actors with backdoor access to Linux-based networking devices such as the Sophos XG firewalls.

The malware uses the LD_PRELOAD environment variable to load its payload into the SSH daemon (sshd), allowing it to hook into the daemon's functions and override the accept function, which processes incoming connections. It monitors SSH traffic for a specific sequence of 'magic bytes' in the first 23 bytes of each package. When that sequence is found, the connection is identified as a backdoor session, and the malware redirects it to an internal Unix socket (/tmp/.sshd.ipc) to establish communication with its Command and Control (C2).

The Pygmy Goat malware also listens on a raw ICMP socket, waiting for packets with an AES-encrypted payload that contains IP and port information for C2 communication. This triggers a connect-back attempt over TLS. The malware communicates with the C2 over TLS, using an embedded certificate that mimics Fortinet's 'FortiGate' CA, potentially blending into network environments where Fortinet devices are common.

When an SSH connection is established, a fake handshake with pre-set responses is initiated to create a false image of legitimacy on network monitors. The C2 server can send Pygmy Goat commands for execution on the device.

The NCSC report provides file hashes, YARA and Snort rules that detect the magic byte sequences and fake SSH handshake. These can be used by defenders to detect Pygmy Goat activity early on. Manual checks for certain files can also reveal an infection. It is also recommended to monitor for encrypted payloads in ICMP packets and the use of 'LD_PRELOAD' in the environment of the 'sshd' process, which may indicate Pygmy Goat activity.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.