Threat Research

Defrosting the Backdoor of PolarEdge

SekoiaIO
Defrosting the Backdoor of PolarEdge

Sekoia.io’s follow-up analysis details the PolarEdge Backdoor, an ELF64 implant targeting QNAP (and other) routers that implements a custom TLS server, an unauthenticated binary command protocol, daily fingerprinting to C2 servers, and auxiliary connect-back and debug modes. The report includes the sample SHA256, YARA rule, observed exploit behavior (CVE-2023-20118), and multiple anti-analysis and encryption techniques used by the implant. #PolarEdgeBackdoor #CVE-2023-20118

Keypoints

  • PolarEdge was first observed exploiting CVE-2023-20118 to deploy a web shell and then a TLS-based backdoor across router and NAS vendors including QNAP, Asus, and Synology.
  • The analyzed QNAP-targeting sample is an ELF64 binary (SHA256: a3e2826090f009691442ff1585d07118c73c95e40088c47f0a16c8a59c9d9082) that runs a custom mbedTLS-based TLS server and exposes an unauthenticated binary command protocol.
  • The backdoor sends a daily host fingerprint to C2, supports connect-back mode to download files, and a debug mode to update C2 addresses when a local filter file exists.
  • Configuration is stored in the final 512 bytes of the ELF, XOR-obfuscated (key 0x11) and split into markers for filter-file, TLS parameters (including port 49254), and C2 list.
  • Multiple encryption/obfuscation techniques are used at runtime: a one-byte XOR, affine cipher over ASCII letters, rotation ciphers, and a chained PRESENT block-cipher implementation to decrypt .init_rodata and .init_text sections.
  • Anti-analysis and deception include randomized process names (e.g., igmpproxy, httpd), mounting over /proc/, a watchdog fork to relaunch the binary, and removal/renaming of common utilities (wget/curl) on startup.
  • Report provides IOCs and a YARA rule for detection, plus detailed TLS certificate artifacts and protocol token values enabling detection and hunting.

MITRE Techniques

  • [T1210] Exploitation of Remote Services – The actor exploited CVE-2023-20118 to achieve remote code execution and deploy a web shell. Quote: ‘…attempt to exploit CVE-2023-20118, resulting in remote code execution (RCE) that deployed a web shell on the target router.’
  • [T1059] Command and Scripting Interpreter – The attacker downloaded and executed a shell script named q which launched the PolarEdge backdoor. Quote: ‘…the attacker downloaded via FTP a shell script named q. Once run, q downloads, and launches the PolarEdge backdoor on the compromised system.’
  • [T1573] Encrypted Channel – The backdoor implements a custom TLS server and uses TLS for C2 communication and connect-back downloads. Quote: ‘…listen for commands over a built-in TLS server implemented with mbedTLS.’
  • [T1105] Ingress Tool Transfer – The connect-back mode and fingerprint thread download remote payloads written to /tmp/.qnax.sh which may be executed. Quote: ‘If the server responds with a payload, that is written to /tmp/.qnax.sh… executes it.’
  • [T1027] Obfuscated Files or Information – The sample uses XOR, affine cipher, rotation ciphers, and a chained PRESENT block cipher to obfuscate configuration and sections. Quote: ‘…employs two simple rotation ciphers… implements the PRESENT block cipher… the backdoor employs a one-byte XOR…’
  • [T1036] Masquerading – The backdoor randomly picks benign-sounding process names (e.g., igmpproxy, httpd) to evade detection. Quote: ‘It randomly picks one name from a predefined list: igmpproxy, wscd, /sbin/dhcpd, httpd, upnpd, iapp.’
  • [T1543] Create or Modify System Process – The implant forks a child that periodically checks the parent’s /proc entry and relaunches the backdoor if absent, serving as a watchdog for re-execution. Quote: ‘it calls fork to spawn a child process that, every 30 seconds, checks whether /proc/ still exists… the child executes a shell command to relaunch the backdoor.’
  • [T1112] Modify Registry (or equivalent) – The backdoor renames/removes utilities and certain CGI files on the device, likely to prevent other actors or tools from interfering. Quote: ‘mv /usr/bin/wget /usr/bin/wget_w; mv /sbin/curl /sbin/curl_c … rm -f /share/CACHEDEV1_DATA/.qpkg/CMS-WS/cgi-bin/library.cgi.bak.’

Indicators of Compromise

  • [File Hash] Analyzed sample – a3e2826090f009691442ff1585d07118c73c95e40088c47f0a16c8a59c9d9082
  • [YARA Rule] Detection signature – Provided YARA rule named PolarEdgeBackdoor (includes markers {41 82 01 67 42 22 04 17} and {21 12 01 47 51 13 81 15}).
  • [User-Agent] Exploit pattern – attacker used the same User-Agent header: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.85 Safari/537.36
  • [Filenames] Dropped/executed files – shell script q (downloaded via FTP), and /tmp/.qnax.sh (downloaded payload executed by fingerprint thread)
  • [Configuration/Port] Embedded TLS port and tokens – listening port 49254 and protocol token value (fWbmufIFB / WbmufIFB) used to validate requests
  • [Certificates] Embedded TLS cert artifacts – Leaf cert CN=localhost (PolarSSL), CA subjects include PolarSSL Test CA and Polarssl Test EC CA, with key identifiers such as B4:5A:E4:A5:B3:DE:… and ECC subject key identifier 9D:6D:20:24:49:…

Read more: https://blog.sekoia.io/polaredge-backdoor-qnap-cve-2023-20118-analysis/