According to researchers, the PRISM backdoor has been on their radar for more than 3.5 years.
Security researchers at AT&T Labs have published a report sharing details of a newly discovered Linux ELF executables cluster having zero to low antivirus detections on VirusTotal.
Researchers noted that these executables have a modified version of the open-source backdoor PRISM, which threat actors use extensively in different campaigns.
Reportedly, the malware has been on their radar for more than 3.5 years. The oldest samples date back to November 8th, 2017. It concerns researchers that the executables aren’t detected by VirusTotal that usually detects malicious URLs and files easily.
What is PRISM?
According to AT&T Labs researchers, PRISM is a simplistic, straightforward, open-source backdoor with clearly identifiable traffic. Moreover, its binaries are much easier to detect. Still, they found it difficult to detect its binaries, and its C&C server had been operating online for over 3.5 years.
This indicates that smaller campaigns can easily slip through virus detectors while more prominent campaigns are relatively easy to detect.
About PRISM Malware Variants
The researchers dubbed one of the variants of PRISM as WaterDrop, which uses a rather easy-to-detect user agent string, agent-waterdropx, for HTTP-based C&C communications and accesses subdomains of the waterdropx[.]com domain.
According to researchers, some samples they found were tagged PRISMv1. Researchers attributed it to the same operators as this version used the same C&C server to communicate. The unusual bit was that this version introduced a child process that recurrently queries the C&C server for commands to be executed.
“The threat actor behind this variant has managed to maintain a zero or almost-zero detection score in VirusTotal for its samples and domains. This is most likely due to their campaigns being fairly small in size. The waterdropx[.]com domain was registered to the current owner on August 18, 2017, and as of August 10, 2021, it was still online,” researchers wrote in their blog post.
PRISMv2.2 and v3 were also discovered. Reportedly, PRISMv2.2 introduced XOR encryption, e.g., the BASH command strings, to hide sensitive data while PRISMv3 worked similarly with just one exception: its clients included a bot ID for identification.
However, researchers stated that the original PRISM backdoor was used without any modifications in most of the attacks.
“This fact, combined with the open-source nature of the backdoor, impedes us from properly tracking the actor(s) activity,” the report read.