Linux backdoor planted on company network to monitor traffic, steal data

Share this article:
The backdoor trojan, dubbed "Fokirtor," was discovered in June by Symantec researchers.
The backdoor trojan, dubbed "Fokirtor," was discovered in June by Symantec researchers.

While investigating the breach of a large internet hosting provider, researchers discovered a Linux backdoor capable of stealing login credentials from secure shell (SSH) connections.

Symantec researchers detected in June that the trojan, dubbed “Fokirtor,” was on the unnamed company's network. The May breach exposed the login credentials of customers, according to a Wednesday blog post by the security firm.

While passwords were hashed and salted by the company, Symantec revealed that by leveraging Fokirtor attackers could have accessed the encryption key that secured the organizations' internal communications.

The Fokirtor trojan targets users running the Linux operating system, an open source platform that is generally known to dispatch speedier patches given its community of tech-savvy users.  

“This backdoor allowed an attacker to perform the usual functionality – such as executing remote commands – however, the backdoor did not open a network socket or attempt to connect to a command-and-control server,” the blog post said, later adding that the trojan, instead, injected itself into the organization's SSH process to extract encrypted commands.

Fokirtor could ultimately allow an attacker to execute commands of their choosing and even collect data from individual SSH connections, like the connecting hostname, IP address, port and SSH key used to authenticate users.

On Friday, Satnam Narang, a researcher on the Symantec Security Response team, told via email that the attackers realized they would need the “sophisticated” trojan to conceal their access to the target's network.

“The attackers understood that the target environment was well protected, so they needed to find a means to avoid a potential security review in order to remain hidden,” Narang wrote. “Therefore, they crafted this stealthy backdoor to camouflage itself within the secure shell (SSH) and other processes."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.

Franchises to get assistance on cybersecurity strategy

The National Cyber Security Alliance has teamed up with the International Franchise Association to promote cybersecurity awareness among franchise businesses in the U.S.

Bulgarian national sentenced 30 months for role in ID theft ring

Aleksi Kolarov was a vendor on, an online cybercrime marketplace that sold stolen credit and bank cards and caused millions of dollars in damages.