Connect with us

Hi, what are you looking for?


Network Security

Researchers Find a Dozen Undocumented OpenSSH Backdoors

ESET security researchers have discovered 12 new OpenSSH backdoor families that haven’t been documented before.

ESET security researchers have discovered 12 new OpenSSH backdoor families that haven’t been documented before.

The Secure Shell (SSH) network protocol allows the remote connection of computers and devices. The portable version of OpenSSH is implemented in almost all Linux distributions, and attackers looking to maintain persistence in compromised Linux servers usually backdoor the installed OpenSSH server and client. 

With the OpenSSH code freely available, it is easy for attackers to build backdoored versions, ESET explains in a recent report (PDF). Furthermore, OpenSSH allows attackers to stay undetected, while the fact that the OpenSSH daemon and client see passwords in clear text helps attackers steal credentials. 

During a hunt for in-the-wild OpenSSH backdoors (kicked off by the Windigo operation four years ago), ESET’s researchers discovered samples into 21 different OpenSSH malware families, including 12 of which haven’t been documented before. 

The analyzed backdoor implementations differ in complexity and the exfiltration techniques for stolen SSH credentials are creative, the researchers say. Both cybercriminals and threat actors employ OpenSSH backdoors with similar sets of features and varying levels of complexity. 

Many of the analyzed malware samples presented similarities, being the result of modifying and recompiling the original portable OpenSSH source code. Authors always target a few critical functions for modification, ESET discovered. 

None of the discovered samples used a complex method of obfuscation, most of them log the passwords supplied by users, and almost all samples copied the credentials to a local file. Nearly half of the backdoor families, however, did contain methods to push the credentials in addition to storing them to a local file, and some would exfiltrate the credentials via email. 

Advertisement. Scroll to continue reading.

In addition to credential exfiltration, the malware operators are looking into ways to easily connect back to the compromised machines, and they normally use hardcoded passwords for that. The authors also attempt to Trojanize OpenSSH daemon functions that prevent root logins, to erase traces on the system, and to bypass logging functionality. 

Among the analyzed backdoors, the security researchers discovered four that implement notable features, including Chandrila (can receive commands via the SSH password), Bonadan (crypto-currency mining), and Kessel (includes bot functionality). 

A fourth backdoor that stands up in the crowd is Kamino, which was associated with DarkLeech in 2013, but was observed several years later being used by the Carbanak gang. This could suggest that the actor changed their focus from mass-spread malware to targeted attacks. 

“Since the motivation for both attacks is financial gain, this is perfectly feasible. Also, given that DarkLeech disappeared not long before Carbanak was discovered in 2014, it is not unreasonable to think that both attacks could be from the same group,” ESET says. 

However, the security researchers also point out that the groups might have employed the same person to deal with Linux servers, that they might have bought the backdoor from underground markets, or that different groups used both malware families (given that DarkLeech too was being sold on the dark web).

During their investigation, the researchers discovered that the Mimban backdoor was still active and that its operators would log in manually to compromised machines. The Borleias operators used Tor when logging in and were also in the possession of the Mimban credentials, suggesting a connection between the two. 

“The raw data we had for this research was mostly malware samples only, missing contextual information. Thus, it is difficult to determine the infection vector used to install these OpenSSH backdoors into systems. One thing we know is that all the backdoors we analyzed contained credential-stealing functionality. This suggests that they could spread using the stolen credentials,” the researchers note. 

ESET’s report also contains a detailed presentation of each of the 21 OpenSSH backdoor families analyzed during the investigation.

Related: Backdoor Attacks From Windigo Operation Still Active

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...