ESET security researchers have discovered 12 new OpenSSH backdoor families that haven’t been documented before.
The Secure Shell (SSH) network protocol allows the remote connection of computers and devices. The portable version of OpenSSH is implemented in almost all Linux distributions, and attackers looking to maintain persistence in compromised Linux servers usually backdoor the installed OpenSSH server and client.
With the OpenSSH code freely available, it is easy for attackers to build backdoored versions, ESET explains in a recent report (PDF). Furthermore, OpenSSH allows attackers to stay undetected, while the fact that the OpenSSH daemon and client see passwords in clear text helps attackers steal credentials.
During a hunt for in-the-wild OpenSSH backdoors (kicked off by the Windigo operation four years ago), ESET’s researchers discovered samples into 21 different OpenSSH malware families, including 12 of which haven’t been documented before.
The analyzed backdoor implementations differ in complexity and the exfiltration techniques for stolen SSH credentials are creative, the researchers say. Both cybercriminals and threat actors employ OpenSSH backdoors with similar sets of features and varying levels of complexity.
Many of the analyzed malware samples presented similarities, being the result of modifying and recompiling the original portable OpenSSH source code. Authors always target a few critical functions for modification, ESET discovered.
None of the discovered samples used a complex method of obfuscation, most of them log the passwords supplied by users, and almost all samples copied the credentials to a local file. Nearly half of the backdoor families, however, did contain methods to push the credentials in addition to storing them to a local file, and some would exfiltrate the credentials via email.
In addition to credential exfiltration, the malware operators are looking into ways to easily connect back to the compromised machines, and they normally use hardcoded passwords for that. The authors also attempt to Trojanize OpenSSH daemon functions that prevent root logins, to erase traces on the system, and to bypass logging functionality.
Among the analyzed backdoors, the security researchers discovered four that implement notable features, including Chandrila (can receive commands via the SSH password), Bonadan (crypto-currency mining), and Kessel (includes bot functionality).
A fourth backdoor that stands up in the crowd is Kamino, which was associated with DarkLeech in 2013, but was observed several years later being used by the Carbanak gang. This could suggest that the actor changed their focus from mass-spread malware to targeted attacks.
“Since the motivation for both attacks is financial gain, this is perfectly feasible. Also, given that DarkLeech disappeared not long before Carbanak was discovered in 2014, it is not unreasonable to think that both attacks could be from the same group,” ESET says.
However, the security researchers also point out that the groups might have employed the same person to deal with Linux servers, that they might have bought the backdoor from underground markets, or that different groups used both malware families (given that DarkLeech too was being sold on the dark web).
During their investigation, the researchers discovered that the Mimban backdoor was still active and that its operators would log in manually to compromised machines. The Borleias operators used Tor when logging in and were also in the possession of the Mimban credentials, suggesting a connection between the two.
“The raw data we had for this research was mostly malware samples only, missing contextual information. Thus, it is difficult to determine the infection vector used to install these OpenSSH backdoors into systems. One thing we know is that all the backdoors we analyzed contained credential-stealing functionality. This suggests that they could spread using the stolen credentials,” the researchers note.
ESET’s report also contains a detailed presentation of each of the 21 OpenSSH backdoor families analyzed during the investigation.
Related: Backdoor Attacks From Windigo Operation Still Active
