Tuesday, October 8, 2024
HomeBackdoorA Backdoor Found in U.S. Federal Government Networks

A Backdoor Found in U.S. Federal Government Networks

Published on

The U.S. federal government commission has recently detected a new backdoor on Thursday; the backdoor implemented total visibility and complete control over the agency network.

The cybersecurity researchers who have detected this backdoor have claimed that it is a “classic APT-type operation.” Threat actors can use this backdoor to have full control over the network.

However, this is very controversial, and that’s why the exact name of the federal government commission has not been disclosed. Apart from this, Avast remarked that they are trying their best to identify the kind of attacks and consequently inform the agency’s findings.

- Advertisement - EHA

Files Detected

The primary files that the security analysts detect are:-

  • Downloader
  • Decryptor

Downloader

It is the very first file that the experts have detected; this file was disguised as oci.dll (“C:\Windows\System32\oci.dll”) (Oracle Call Interface).

Here, the files contained a compressed library dubbed as NTlib by the analysts. This file is specifically used by the threat actors to check the MD5 of the hostname and later stop if it doesn’t match the one they stored.

Decryptor

It was the second file detected by the experts, and this file was also disguised as oci.dll, and this file replaced the first file that is used in the next stage of the attack.

While here, in these circumstances, the main function of this file is to decrypt and run in memory the file “SecurityHealthServer.dll.”

Evading Firewalls and Network Monitoring

After analyzing the backdoor, the security researchers concluded that it generally works by replacing a normal Windows file called “oci.dll” with two malicious ones.

This file enables the threat actors to download and execute malicious code on the targeted system. However, it is being assumed that the main motive of the attack is to bypass firewalls and network monitoring tools and solutions.

That’s why we conveyed that the earlier file is quite similar to the rcview40u.dll; it is likely that the threat actor had access to the source code of the three-year-old rcview40u.dll.

However, this backdoor attack was carried in two-stage, and its main justification was to deploy two malicious binaries that allowed the unidentified adversary to intercept internet traffic.

Not only that even it is also used to execute code of their choice and later allows the operators to take entire control over the infected systems that they attacked.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Gained Unauthorized Network Access to Casio Networks

Casio Computer Co., Ltd. has confirmed that a third party illegally accessed its network...

Open-Source Scanner Released to Detect CUPS Vulnerability

A new open-source scanner has been released to detect a critical vulnerability in the...

Comcast Cyber Attack Impacts 237,000+ Users Personal Data

Comcast Cable Communications LLC has reported that over 237,000 users' data has been compromised....

American Water Works Cyber Attack Impacts IT Systems

American Water Works Company, Inc., a leading provider of water and wastewater services, announced...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

19.6K+ Public Zimbra Installations Vulnerable to Code Execution Attacks – CVE-2024-45519

A critical vulnerability in Zimbra's postjournal service, identified as CVE-2024-45519, has left over 19,600...

Hackers Attacking AI Agents To Hijacking Customer Sessions

Conversational AI platforms, powered by chatbots, are witnessing a surge in malicious attacks, which...

Malicious App On Google Play Steals Cryptocurrency From Android Users

Cybercriminals have shifted their focus to mobile devices, targeting users with a malicious crypto...