The OVERSTEP backdoor, written in C, is particularly designed for SonicWall SMA 100 sequence home equipment. It injects itself into the reminiscence of different processes through the /and many others/ld.so.preload file after which hijacks normal file system features equivalent to open, open64, readdir, readdir64, and write. This permits it to cover its elements on the system.
The backdoor’s major objective is to steal passwords and supply attackers with a reverse shell on the system, by means of which they will execute extra shell instructions.
“In our investigations, GTIG noticed beaconing site visitors from compromised home equipment, however we didn’t establish notable post-compromise actions,” the researchers wrote. “The actor’s success in hiding their tracks is basically because of OVERSTEP’s functionality to selectively delete log entries from httpd.log, http_request.log, and inotify.log. This anti-forensic measure, mixed with an absence of shell historical past on disk, considerably reduces visibility into the actor’s secondary aims.”
