Overview

This is an update advisory. For details, please see “Verification Method”-“Local Verification”.

On July 16, 2020, Beijing time, a competitor published an article stating that it captured a new Nginx backdoor recently which could bypass antivirus software. By the time this advisory is released, the backdoor had not been detected by any antivirus software on VT.

According to analysis, the Nginx backdoor modified the ngx_http_header_filter function in the HTTP header in the original Nginx, and the backdoor constructor has a special method to handle the cookies field. Once a request contains the string “lkfakjf”, the backdoor will connect to the server address assigned by the attacker.