Security researchers identified a statically linked 64-bit Linux backdoor named netd (contained in out_linux.tar) with an encrypted configuration file (netd.lck), RC4-encrypted C2 communications, an interactive PTY-backed shell, and remote file-transfer capabilities. The implant uses dynamic DNS domains and a custom RC4 challenge–response over TCP/443 (mefng.giize[.]com, chopaw.camdvr[.]org, drawpin.accesscam[.]org); a Mach-O variant observed on VirusTotal is labeled ChromeUpdates. #netd #mefng_giize
Keypoints
- Researchers found a 64-bit statically linked ELF backdoor named netd inside out_linux.tar with an accompanying encrypted configuration file netd.lck.
- netd.lck (810 bytes) is XOR-encrypted (first byte with 0x38, remainder with a long XOR key) and can be retrieved or updated remotely via backdoor commands.
- The backdoor locks a single running instance via a named semaphore but can be bypassed with a skip argument; it daemonizes, creates a PTY pair, and spawns an interactive shell.
- C2 resolution uses DNS requests (including a decoy query to www.google.com and queries to dynamic-DNS domains) with the returned IP XOR-decrypted (key 0xC7852752); default hardcoded C2 is mefng.giize[.]com:443.
- Network communication uses a custom RC4-based challenge–response and RC4-encrypted traffic (key 0x5D84EFD639604BB295FC270E715883EA) over TCP/443; the backdoor sends system info and supports commands for file upload/download, command execution, directory listing, process listing/killing, config update, and self-delete.
- Multiple submissions exist on VirusTotal (ELF and Mach-O variants); notable artifacts include out_linux.tar, netd/netd.lck hashes, and a Mach-O sample named ChromeUpdates.
MITRE Techniques
- [T1059.004 ] Command and Scripting Interpreter – Spawns an interactive Unix shell for operator access via PTY/fork and exec of $SHELL or /bin/sh -i; [‘child executes an interactive shell ($SHELL or /bin/sh -i)’]
- [T1105 ] Ingress Tool Transfer – Implements C2-driven file transfer capabilities for uploading to and downloading from the victim; [‘do_upload C2 to victim file transfer’, ‘do_download Victim to C2 file transfer’]
- [T1071.001 ] Application Layer Protocol: Web Protocols – Uses RC4-encrypted custom protocol over TCP/443 for C2 communications, including a challenge–response handshake; [‘a custom RC4 challenge-response protocol’, ‘mefng.giize[.]com:443’]
- [T1071.004 ] Application Layer Protocol: DNS – Performs DNS queries (including decoy query to www.google.com via Google DNS) to resolve C2 domain names and retrieve XOR-encrypted IPs; [‘it makes a DNS request to www.google.com… and then makes a DNS request against the C2 to retrieve its IP address’]
- [T1082 ] System Information Discovery – Collects and sends system details (generated_uid, hostname, utsname fields) to the C2 during initialization; [‘send_systeminfo…generated_uid|hostname|connection_state|unknown_value|sysname|nodename|release|version|machine|domain name|’]
- [T1041 ] Exfiltration Over C2 Channel – Exfiltrates files and system information to the operator via the encrypted C2 channel (do_download and send_systeminfo behaviors); [‘do_download Victim to C2 file transfer’, ‘send_systeminfo’]
- [T1070.004 ] File Deletion – Implements self-deletion/cleanup when commanded (connection state set to self-destroy removes backdoor and config file); [‘For self-deletion purposes… removal of the backdoor and the configuration file’]
Indicators of Compromise
- [File Hashes ] Payload and sample hashes observed on VirusTotal – out_linux.tar: 8e4f33722c16a5e922a81a4be61db804bbf2e899d89902085e854b7f0a0d587f, netd (ELF): be0f36ee071a9c0c200dcdaed98fce7fadc31305d0a5f24a244a3af7833d21dd, and 1 more hash (ChromeUpdates Mach-O: bcffe674c4425634d4750bb21a505be9ce35e31413d2e6cce75ad0c609563cc5)
- [File Names ] Notable filenames and roles – netd (64-bit ELF backdoor), netd.lck (encrypted configuration, 810 bytes), ChromeUpdates (Mach-O variant observed on VirusTotal)
- [Domains ] C2 and configuration/domains observed – chopaw.camdvr[.]org, drawpin.accesscam[.]org, mefng.giize[.]com:443 (default hard-coded C2)
- [IP Addresses ] Resolved and decrypted IPs associated with C2 infrastructure – observed raw address 138.89.104[.]8 (Verizon-owned, associated with a MikroTik device exposing port 8291), XOR-decrypted IP 77.220.79[.]90