A malicious library can hide among ordinary system files for years. A newly discovered Linux backdoor exploits exactly that technique to target iKuai routers. The sample arrived on VirusTotal on July 1 with zero detections. However, the file was first uploaded from Japan as early as June 8.
A detailed technical analysis of the iKuai router backdoor is available for researchers who want to examine indicators and behavioral details.
The Backdoor’s Disguise
The backdoor carries the name libjson_script.so.0. It disguises itself as a legitimate component of the OpenWrt project. References to the GWID and VERSTRING parameters in system files point directly to iKuai routers.
Both values appear in the manufacturer’s firmware. However, the researcher who performed the analysis found no confirmed infections.
How It Establishes a Foothold
Once launched, the backdoor prevents a second copy from running. It then decrypts its configuration and contacts a command-and-control server. Communication travels over HTTPS without certificate validation.
An embedded AES cipher protects all transmitted data. By default, the backdoor checks in with its server once per hour.
What Data Gets Sent to the Server
The backdoor sends several data points to the server. These include the gateway identifier, device architecture, hostname, local IP address, firmware version, process number, and working directory.
In response, the backdoor receives an encrypted task list. It also receives the interval before its next scheduled check-in.
Commands the Operators Can Run
Operators can execute shell commands and change directories. They can also download and launch additional ELF files, create scheduled jobs, and cancel them.
A dedicated command reads files up to 512 KB in size. It encodes the content in Base64, then forwards it to the command-and-control server. All operation results return as encrypted JSON messages.
How to Check Your Router for Infection
A broader search for matching indicators found no additional samples. As a result, the backdoor currently appears rare in the wild.
To check a router for infection, look for the file libjson_script.so.0 with the following SHA-256 hash:
4e6276cc400b3b9e9616d04474b64a8fa0c35375b9673ab41a92a6d5bce72d8d
Also watch for outbound connections to 47.80.111[.]129:7380. Additionally, look for the unknown file at /usr/share/misc/.runlevel.cache.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.