A New Variant of Firewood Backdoor

MITRE Techniques

• [T1547] Boot or Logon Autostart Execution – FireWood sets persistence paths for root and non-root users (e.g., /usr/lib/.kde-root/, $HOME/.kde-root/, /etc/init.d/rc.local) to maintain startup execution. Quote: ‘…sets paths for root users as:/usr/lib/.kde-root/…/etc/init.d/rc.local…For non-root users, it uses:$HOME/.kde-root/…$HOME/.bashrc’
• [T1059] Command and Scripting Interpreter – The backdoor enables remote command execution and calls system() to execute retrieved files (command id 0x192). Quote: ‘…Gets a file from the C2 and execute it using the system function.’
• [T1041] Exfiltration Over C2 Channel – FireWood exfiltrates system information, credentials, and files (command id 0x195 handles file exfiltration for specific extensions). Quote: ‘…Exfiltration of files with the following extensions: v2, .k2, .W2, and drive.C2.’
• [T1014] Rootkit – Uses kernel-level rootkit modules (e.g., usbdev.ko) and process-hiding routines to conceal presence. Quote: ‘…employing kernel-level rootkit modules (e.g., usbdev.ko) and TEA-based encryption to hide its presence…’
• [T1573] Encrypted Channel – Communications use TEA-based encryption to communicate covertly with C2 infrastructure. Quote: ‘…TEA-based encryption to hide its presence, maintain persistence, and communicate covertly with its command-and-control infrastructure.’
• [T1105] Ingress Tool Transfer – The backdoor can receive files from C2 (CFileControl::FileUp) and write/execute them on the host (command id 0x192). Quote: ‘…this command calls first ‘CFileControl::FileUp’ to receive the file from the C2.’
• [T1543] Create or Modify System Process – The agent daemonizes, saves PID, and manipulates process metadata (process name, PID, port, hardcoded names) and uses CHideProcess routines to hide itself. Quote: ‘…builds a larger buffer containing the process name, hex-formatted port, PID, a hardcoded “kde-tra” process name…passed through CHideProcess::NetLinkInit()…’