December 2, 2023

Security researchers have found a cluster of Linux ELF executables with low or zero antivirus detections. These executables as modifications of the open source PRISM backdoor used by multiple threat actors in various campaigns for the past 3.5 years

One of the variants found was dubbed WaterDrop. It uses an easily identifiable user agent string “agent-waterdropx” for the HTTP-based (C&C) communications, and it reaches to subdomains of the waterdropx[.]com domain.

While all these may seem to be fairly obvious indicators, the threat actor behind this variant has managed to maintain a zero or almost-zero detection score in VirusTotal for its samples and domains. This is most likely due to their campaigns being fairly small in size.

There were two other versions of PRISM: v2.2 and v3. PRISM v2.2 introduced XOR encryption, such as the BASH command strings, to obfuscate sensitive data. PRISM v3 is identical to v2.2 with one exception: Clients include a bot ID for identification purposes.

Researchers said they had observed other actors using the PRISM backdoor for their operations.

The actor(s) use the original PRISM backdoor as is, without performing any major modifications. This fact, combined with the open-source nature of the backdoor, impedes us from properly tracking the actor(s) activity.

Tags:

Leave a Reply

You may have missed

CISA KEV Update Part I – December 2023

December 1, 2023

Dollar Tree Affected by a Third Party Breach

December 1, 2023

Apple Patches iOS zerodays – CVE-2023-42916 and CVE-2023-42917

December 1, 2023

TheCyberThrone Security Week In Review – November 25, 2023

November 30, 2023

BlueVoyant Acquires Conquest Cyber

November 30, 2023

Google Fixes Sixth Chrome ZeroDay of 2023

November 29, 2023
%d bloggers like this: