Security researchers have found a cluster of Linux ELF executables with low or zero antivirus detections. These executables as modifications of the open source PRISM backdoor used by multiple threat actors in various campaigns for the past 3.5 years

One of the variants found was dubbed WaterDrop. It uses an easily identifiable user agent string “agent-waterdropx” for the HTTP-based (C&C) communications, and it reaches to subdomains of the waterdropx[.]com domain.

While all these may seem to be fairly obvious indicators, the threat actor behind this variant has managed to maintain a zero or almost-zero detection score in VirusTotal for its samples and domains. This is most likely due to their campaigns being fairly small in size.

There were two other versions of PRISM: v2.2 and v3. PRISM v2.2 introduced XOR encryption, such as the BASH command strings, to obfuscate sensitive data. PRISM v3 is identical to v2.2 with one exception: Clients include a bot ID for identification purposes.

Researchers said they had observed other actors using the PRISM backdoor for their operations.

The actor(s) use the original PRISM backdoor as is, without performing any major modifications. This fact, combined with the open-source nature of the backdoor, impedes us from properly tracking the actor(s) activity.