Unveiling the “Pygmy Goat” Malware: A New Threat in Cybersecurity

In recent weeks, a concerning revelation has emerged from the UK’s National Cyber Security Centre (NCSC): the discovery of a Linux malware dubbed “Pygmy Goat.” This sophisticated malware targets Sophos XG firewall devices and is linked to a series of advanced persistent threat (APT) attacks attributed to Chinese threat actors. 🇨🇳

Sophos’s “Pacific Rim” reports detail a five-year campaign exploiting vulnerabilities in edge networking devices, emphasizing the need for heightened cybersecurity measures. 🛡️

The “Pygmy Goat” malware is a custom rootkit designed to backdoor Linux-based networking devices, particularly the Sophos XG firewalls. This advanced malware employs tactics that mimic legitimate Sophos file naming conventions, making detection challenging.

Advanced Persistence: The malware employs complex code structures, ensuring it remains undetected while executing its malicious activities.Evasion Mechanisms: It utilizes the LD_PRELOAD environment variable to integrate itself with the SSH daemon (sshd), allowing it to monitor and manipulate incoming connections. 🔍Remote Access: Through a cleverly crafted communication channel, Pygmy Goat connects to its Command and Control (C2) server using TLS, disguised as legitimate Fortinet traffic.

Once installed, Pygmy Goat monitors SSH traffic for specific “magic bytes” to identify backdoor sessions. It then redirects these connections to an internal Unix socket, allowing attackers to control the device remotely. Here’s what they can do:

Execute shell commands (/bin/sh or /bin/csh)Capture and forward network traffic to the C2Manage scheduled tasks through BusyBox 🗓️Establish a SOCKS5 reverse proxy using EarthWorm, enabling stealthy C2 traffic traversal

To defend against this emerging threat, organizations must implement proactive measures, including:

Monitoring for suspicious files like /lib/libsophos.so and /tmp/.sshd.ipc.Utilizing file hashes and detection rules from the NCSC report to identify “Pygmy Goat” activity.Setting up alerts for unusual behavior involving the SSH daemon, particularly concerning the use of LD_PRELOAD.

As cybersecurity professionals, we must remain vigilant against evolving threats like “Pygmy Goat.” With advanced Pentesting techniques and robust defense mechanisms, we can safeguard our networks from these sophisticated attacks.

For comprehensive penetration testing services, trust Wire Tor to keep your systems secure. Reach out today to enhance your cybersecurity posture and defend against emerging threats! 💪🔐