The assault demonstrates the sophistication of Velvet Ant’s techniques
Primarily based on proof discovered by Sygnia on a Cisco Nexus change compromised by Velvet Ant, the attackers first exploited the command injection flaw as a way to create a file with base64-encoded content material. They then issued instructions to decode the contents and put it aside to a file referred to as ufdm.so. On Linux techniques .so information are shared object libraries which can be loaded by different processes, whereas ufdm is the title of a reliable file on NX-OS.
After creating their malicious library, the attackers changed the reliable ufdm file with curl, one other reliable Linux instrument for downloading information and added their ufdm.so library to the LD_PRELOAD setting variable which can be utilized to override the placement of normal libraries. They then executed the now pretend/root/ufdm course of, which loaded their malicious ufdm.so library into reminiscence.
After working some instructions to ensure the method is working their implant is creating the right community connections, they delete the renamed ufdm and ufdm.so information from disk as a way to cowl their tracks.