The OVERSTEP backdoor, written in C, is specifically designed for SonicWall SMA 100 series appliances. It injects itself into the memory of other processes via the /etc/ld.so.preload file and then hijacks standard file system functions such as open, open64, readdir, readdir64, and write. This allows it to hide its components on the system.
The backdoor’s main purpose is to steal passwords and provide attackers with a reverse shell on the system, through which they can execute additional shell commands.
“In our investigations, GTIG observed beaconing traffic from compromised appliances, but we did not identify notable post-compromise activities,” the researchers wrote. “The actor’s success in hiding their tracks is largely due to OVERSTEP’s capability to selectively delete log entries from httpd.log, http_request.log, and inotify.log. This anti-forensic measure, combined with a lack of shell history on disk, significantly reduces visibility into the actor’s secondary objectives.”
