Listen to this Post

OpenSSL providers are modular components that extend cryptographic functionalities in OpenSSL, such as hashing, encryption, and key management. A recently discovered Linux x64 sample (SHA-256: ba9eb29a228787137945c5a05619eb85884ff15e150faaf16ef138170b288199) disguises itself as a legitimate SHA-512 provider but introduces a backdoor. This malicious provider replaces the default SHA-512 implementation, silently altering cryptographic computations without triggering traditional AV/EDR alerts.
How the Backdoor Works
- Provider Injection: The malicious `.so` file is loaded as an OpenSSL provider.
- Algorithm Substitution: Only SHA-512 is exposed, making it appear legitimate.
- Silent Manipulation: Cryptographic operations are hijacked, substituting real hashes with attacker-controlled values.
- Persistence: Survives OpenSSL updates due to modular design.
You Should Know: Detecting and Mitigating OpenSSL Provider Backdoors
Detection Commands
1. Check Loaded Providers
openssl list -providers
2. Verify Shared Library Integrity
ldd /path/to/openssl | grep provider sha256sum /path/to/suspicious_provider.so
3. Audit OpenSSL Configuration
strace -e file openssl list -providers 2>&1 | grep open
Mitigation Steps
1. Restrict Provider Loading
Allow only trusted providers export OPENSSL_MODULES=/usr/lib/ssl/trusted_providers
2. Use Static Linking
Recompile OpenSSL with `no-module` flag:
./config no-module make sudo make install
3. Monitor for Anomalies
Check for unexpected provider loads auditctl -w /usr/lib/ssl/providers/ -p rwa -k openssl_providers
Forensic Analysis
1. Extract Suspicious Provider
objdump -D malicious_provider.so > disassembly.txt strings -n 8 malicious_provider.so | grep -i "sha512"
2. YARA Rule for Detection
rule OpenSSL_Backdoor_Provider {
meta:
description = "Detects malicious OpenSSL providers"
strings:
$magic = { 7F 45 4C 46 } // ELF header
$sha512_hook = "SHA512_Init" nocase
$suspicious_func = "EVP_MD_meth_new" nocase
condition:
$magic at 0 and all of them
}
What Undercode Say
This OpenSSL provider backdoor exemplifies advanced persistence techniques that evade conventional detection. Unlike noisy C2 backdoors, it manipulates cryptographic primitives silently. Defenders must:
– Monitor `LD_PRELOAD` and `openssl.cnf` modifications.
– Enforce code-signing for providers.
– Use tools like THOR Scanner or Falcon for weak signal detection.
Expected Output
Sample output of `openssl list -providers` Providers: default name: OpenSSL Default Provider evil name: Malicious SHA-512 Provider <-- RED FLAG
Prediction
Such backdoors will proliferate in supply-chain attacks, targeting cloud-native apps and containerized environments. Future variants may exploit QUIC/TLS 1.3 providers for broader impact.
References:
IT/Security Reporter URL:
Reported By: Floroth Malwareanalysis – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


