CONFERENCE Watch Now: Threat Detection & Incident Response (TDIR) Summit - Watch Event On-Demand
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Researchers Find a Dozen Undocumented OpenSSH Backdoors

ESET security researchers have discovered 12 new OpenSSH backdoor families that haven’t been documented before.

ESET security researchers have discovered 12 new OpenSSH backdoor families that haven’t been documented before.

The Secure Shell (SSH) network protocol allows the remote connection of computers and devices. The portable version of OpenSSH is implemented in almost all Linux distributions, and attackers looking to maintain persistence in compromised Linux servers usually backdoor the installed OpenSSH server and client. 

With the OpenSSH code freely available, it is easy for attackers to build backdoored versions, ESET explains in a recent report (PDF). Furthermore, OpenSSH allows attackers to stay undetected, while the fact that the OpenSSH daemon and client see passwords in clear text helps attackers steal credentials. 

During a hunt for in-the-wild OpenSSH backdoors (kicked off by the Windigo operation four years ago), ESET’s researchers discovered samples into 21 different OpenSSH malware families, including 12 of which haven’t been documented before. 

The analyzed backdoor implementations differ in complexity and the exfiltration techniques for stolen SSH credentials are creative, the researchers say. Both cybercriminals and threat actors employ OpenSSH backdoors with similar sets of features and varying levels of complexity. 

Many of the analyzed malware samples presented similarities, being the result of modifying and recompiling the original portable OpenSSH source code. Authors always target a few critical functions for modification, ESET discovered. 

None of the discovered samples used a complex method of obfuscation, most of them log the passwords supplied by users, and almost all samples copied the credentials to a local file. Nearly half of the backdoor families, however, did contain methods to push the credentials in addition to storing them to a local file, and some would exfiltrate the credentials via email. 

In addition to credential exfiltration, the malware operators are looking into ways to easily connect back to the compromised machines, and they normally use hardcoded passwords for that. The authors also attempt to Trojanize OpenSSH daemon functions that prevent root logins, to erase traces on the system, and to bypass logging functionality. 

Advertisement. Scroll to continue reading.

Among the analyzed backdoors, the security researchers discovered four that implement notable features, including Chandrila (can receive commands via the SSH password), Bonadan (crypto-currency mining), and Kessel (includes bot functionality). 

A fourth backdoor that stands up in the crowd is Kamino, which was associated with DarkLeech in 2013, but was observed several years later being used by the Carbanak gang. This could suggest that the actor changed their focus from mass-spread malware to targeted attacks. 

“Since the motivation for both attacks is financial gain, this is perfectly feasible. Also, given that DarkLeech disappeared not long before Carbanak was discovered in 2014, it is not unreasonable to think that both attacks could be from the same group,” ESET says. 

However, the security researchers also point out that the groups might have employed the same person to deal with Linux servers, that they might have bought the backdoor from underground markets, or that different groups used both malware families (given that DarkLeech too was being sold on the dark web).

During their investigation, the researchers discovered that the Mimban backdoor was still active and that its operators would log in manually to compromised machines. The Borleias operators used Tor when logging in and were also in the possession of the Mimban credentials, suggesting a connection between the two. 

“The raw data we had for this research was mostly malware samples only, missing contextual information. Thus, it is difficult to determine the infection vector used to install these OpenSSH backdoors into systems. One thing we know is that all the backdoors we analyzed contained credential-stealing functionality. This suggests that they could spread using the stolen credentials,” the researchers note. 

ESET’s report also contains a detailed presentation of each of the 21 OpenSSH backdoor families analyzed during the investigation.

Related: Backdoor Attacks From Windigo Operation Still Active

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.