PitHook (0ed35278-4a85-4ec7-9b54-3bcf51f46fba)
PitHook, linked to UNC5325, is a backdoor that intercepts the accept and accept4 functions in the web process by altering the PLT. Upon detecting a buffer matching a predetermined magic byte sequence, it duplicates the socket and initiates communication with the Unix domain socket /data/runtime/cockpit/wd.fd.[Mandiant Cutting Edge Part 3 February 2024]
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
PitHook (0ed35278-4a85-4ec7-9b54-3bcf51f46fba) | Tidal Software | UNC5325 (be7243cb-6031-4e2a-97d9-3522c002becd) | Tidal Groups | 1 |