"The canister controller can swap the URL at any time, pushing new binaries to all infected hosts without touching the implant, which significantly complicates remediation efforts."
"Persistence is established by means of a systemd user service, which is configured to automatically start the Python backdoor after a 5-second delay if it gets terminated for some reason."
Threat actors have exploited the Trivy scanner to launch follow-on attacks, resulting in the compromise of many npm packages through a self-propagating worm called CanisterWorm. This malware utilizes an ICP canister as a dead drop resolver, marking the first known misuse of such technology for command-and-control purposes. The infection chain involves a postinstall hook that executes a loader, which drops a Python backdoor to contact the ICP canister for further payloads. The decentralized nature of the dead drop infrastructure enhances its resilience against takedown efforts.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]