asane

The Sophos Firewall hack on the government network used an entirely new custom malware program

Online Niel November 7, 2024

Security researchers at the UK’s NCSC share more details about the tools used in Pacific Rim
Pygmy Goat is a competent backdoor, probably used by the Chinese
Even the FBI is asking for help identifying scammers

Over the past five years, the Chinese have targeted high-end devices belonging to government agencies and departments in the US and elsewhere in the West in a operation named “Pacific Rim” – and now we have more details about the tools they used and what they allowed the attackers to do.

Pacific Rim primarily targeted Sophos XG firewalls for cyber espionage and data exfiltration, and was most likely driven by several Chinese-speaking threat actors, including the infamous Volt Typhoon.

In late October 2024, the UK’s National Cyber Security Center (NCSC) published a report claiming that a new Linux malware called the “Pygmy Goat” was used in these attacks. “Pygmy Goat is a native x86-32 ELF shared object that was discovered on Sophos XG firewall devices, providing backdoor access to the device,” the document’s summary reads.

Pygmy goat

Being a sophisticated network malware, Pygmy Goat was able to disguise malicious traffic as legitimate Secure Shell (SSH) connections and thus avoid detection. In addition, it allowed covert communication via encrypted Internet Control Message Protocol (ICMP) packets, adding an additional layer of obfuscation. In terms of its capabilities, Pygmy Goat gave its attackers persistent remote access and control, allowing them to covertly manipulate infected devices and potentially compromise the wider network infrastructure.

Technical details about the code, infections and more, can be found in the paper Here.

Although the document does not discuss the threat actors using Pymgy Goat, BleepingComputer recalls that the techniques, tactics, and procedures (TTP) align with those of a malware called “Castletap” that has been used by Chinese state-sponsored groups. Sophos, on the other hand, said the same rootkit was used in 2022 by another Chinese group called “Tstark”.

Pacific Rim was a major hacking operation that even attracted the attention of the FBI, who recently asked the public to help them identify the attackers.

By BleepingComputer