“`html
A sophisticated backdoor malware aimed at Internet of Things devices has emerged, utilizing advanced communication strategies to ensure continuous access to breached systems.
The PolarEdge backdoor, initially discovered in January 2025, signifies a substantial advancement in IoT-related threats, employing a unique TLS server configuration and proprietary binary protocol for command and control functions.
This malware first appeared through the exploitation of CVE-2023-20118, a flaw in Cisco routers that allows for remote code execution.
Malefactors took advantage of this vulnerability to install web shells on targeted routers, thereby establishing initial footholds for the delivery of subsequent payloads.
The sequence of the attack incorporates downloading and executing a shell script named “q” via FTP, which then fetches and initiates the PolarEdge backdoor on compromised devices.
PolarEdge showcases impressive adaptability in its choice of targets, with variants identified that explicitly aimed at Asus, QNAP, and Synology network appliances.
The intricate design of the malware indicates deliberate development intended to secure a long-term presence within network infrastructure components.
Its deployment patterns reveal organized campaigns originating from various IP addresses in multiple nations, all employing identical User-Agent HTTP headers during attempted exploitations.
Sekoia analysts discovered the intricate architecture of the malware during an exhaustive reverse engineering evaluation, uncovering a 1.6 MB ELF 64-bit executable that utilizes numerous operational modes.
.webp)
The backdoor primarily operates as a TLS server, awaiting incoming commands while concurrently communicating with command and control infrastructure through daily fingerprinting tasks.
Advanced TLS Implementation and Communication Protocol
The most distinctive attribute of the PolarEdge backdoor lies in its custom TLS server configuration developed using the mbedTLS v2.8.0 library.
This method marks a departure from traditional malware communication practices, offering encrypted channels that closely mimic legitimate network traffic.
The TLS implementation utilizes various certificates, including leaf certificates and certificate authority chains, forming a credible-looking encrypted communication structure.
.webp)
The malware employs a proprietary binary protocol functioning over the TLS connection, utilizing hardcoded tokens embedded within the executable’s data segments.
This protocol necessitates specific magic values for the validation of requests, encompassing tokens contained within the malware’s configuration as well as others codified within the binary.
Command execution occurs when incoming requests contain the ASCII character “1” in the HasCommand field, followed by a two-byte length specification and the actual command string.
Fingerprinting operations run incessantly in dedicated threads, gathering extensive system information such as local IP addresses, MAC addresses, process identifiers, and specific device details.
This information is transmitted to command and control servers utilizing HTTP GET requests with particular query string formats.
The malware constructs these requests using encrypted format strings that decode to disclose parameters like device brand, module version, and collected system identifiers.
The backdoor supports various operational modes beyond its default server function. Connect-back mode allows the malware to operate as a TLS client for file downloading, whereas debug mode enables configuration updates for command and control server addresses.
These operational modes exemplify the malware’s adaptability and the developers’ forethought regarding different deployment scenarios and maintenance necessities.
“`