"Pygmy Goat" Malware Used in Sophos Firewall Attack on Government Network, Says UK’s Cyber Security Center

The UK's National Cyber Security Centre (NCSC) released an analysis on "Pygmy Goat," a sophisticated Linux malware crafted to breach Sophos XG firewall devices, linking it to attacks by suspected Chinese actors. According to Sophos, their recent “Pacific Rim” reports detail a five-year series of Chinese cyber attacks on network edge devices, including using a rootkit malware closely mimicking Sophos' naming conventions. Pygmy Goat is specifically designed for advanced persistence, evasion, and remote access, showing high-level code structure and complex execution pathways. While NCSC does not attribute it to any specific actor, its techniques resemble those in "Castletap" malware, which Mandiant associates with Chinese nation-state groups. Sophos' report also links Pygmy Goat to a Chinese actor named "Tstark," known for attacks involving CVE-2022-1040. Pygmy Goat operates by monitoring SSH traffic for "magic bytes," a specific sequence that signals a backdoor session. Upon detection, the malware redirects traffic to its Command and Control (C2) server through an internal Unix socket, using AES-encrypted payloads and TLS communication with a Fortinet-mimicking certificate. When the backdoor is active, the C2 server can issue commands for opening shells, capturing network traffic, scheduling tasks, and using reverse proxies to hide C2 traffic. NCSC’s report provides YARA and Snort rules to identify Pygmy Goat activity, advising administrators to check for unusual files like /lib/libsophos.so and encrypted ICMP payloads that could indicate infection. Read more...