Pygmy Goat Backdoor Planted on Hacked Sophos XG Firewall Devices
The UK’s National Cyber Security Centre (NCSC) has released detailed technical documentation on a sophisticated backdoor discovered on compromised Sophos XG firewall devices. The NCSC warned that this malware, named Pygmy Goat, was likely developed to target a wider array of Linux-based network devices beyond Sophos firewalls.
Pygmy Goat employs various stealth techniques to remain undetected and persist within systems, even masking its malicious activities as legitimate SSH connections. It also uses encrypted ICMP packets for covert communication, showcasing the expertise of a highly skilled hacking group.
While the backdoor does not use groundbreaking methods, it is carefully designed to allow controlled, on-demand interaction while seamlessly blending with standard network traffic. The NCSC noted that the code is cleanly written with well-structured, concise functions that support future expansion, and meticulous error-checking indicates it was crafted by proficient developers.
The NCSC suspects the malware’s design targets more Linux-based devices than just Sophos firewalls. It observed Pygmy Goat employing a fake certificate mimicking one from Fortinet, another major firewall provider, suggesting the malware may have initially been aimed at FortiGate devices before being adapted for Sophos systems.
The report indicates that the backdoor includes multiple methods for communication initiation, as well as two separate remote shells—a level of complexity unlikely if the malware were designed for just one type of device. Additionally, Pygmy Goat is compatible with a basic Ubuntu distribution, requiring no device-specific external libraries.
The NCSC referenced recent reports from Mandiant highlighting attacks on FortiGate devices that display tactics, techniques, and procedures (TTPs) similar to those seen in Pygmy Goat. These include the use of an encrypted ICMP packet carrying command-and-control (C2) information to initiate a reverse SSL connection.
You can read the full report here – https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.