Growing Abuse of SSH Keys: Commodity Malware Campaigns Now Equipped with SSH Capabilities

A close look at the prominent malware campaigns in 2019 revealed that an increasing number of commodity malware integrated the misuse of SSH machine identities into their attacks. Campaigns such as cryptomining, spam, adware and banking trojans targeting Windows, Unix-like and MacOS are now equipped with SSH capabilities for credential theft, persistence and lateral movement.

In most cases, the malware added the attacker’s SSH key to the authorized_keys file on the victim’s machine, enabling the attacker to remain persistent on the device. In other cases, the malware was able to brute force weak SSH authentication on public-facing servers and gain access to the target, steal credentials and host information to laterally move across the network and infect further machines.

Some examples of successful malware campaigns that have leveraged SSH capabilities include:

• TrickBot: Originally a banking trojan that first appeared in 2016, TrickBot has evolved into a universal crimeware solution that now primarily targets enterprise environments. TrickBot is offered as-a-service to criminals for various purposes and its modules are designed for the needs of a specific criminal activity. Last year, TrickBot added SSH key-grabbing capabilities for both PuTTY (SSH client for Microsoft) and OpenSSH. In addition to targeting keys, the malware is designed to look for Hostname and Username information for lateral movement.
• CryptoSink: This cryptomining campaign exploits a five-year-old vulnerability (CVE-2014-3120) in Elasticsearch systems on both Windows and Linux platforms to mine XMR cryptocurrency. CryptoSink creates a backdoor to the targeted server by adding the attacker’s public key to the authorized_keys file on the victim’s machine.
• Linux Worm: This worm targets vulnerable Exim mail servers on Unix-link systems to deliver Monero cryptominers. The worm creates a backdoor to the server by adding the attacker’s public key to the authorized_keys file and enabling the SSH server if it has been previously disabled.
• Skidmap: This kernel-mode rootkit gains backdoor access to a targeted machine by adding the attacker’s public SSH key to the authorized_keys file. Skidmap uses exploits, misconfigurations, or exposure to the internet to gain root or administrative access to the system and drop cryptomining malware.

Other campaigns include Dota and Kerberods, and MacOS Bundlore.

Why is this important?

SSH machine identities are used to secure remote connections and automate processes and workloads within a network and in the cloud, giving privileged access to organizations’ most critical systems, including servers and databases. This makes them highly valuable to attackers.

But until recently, only the most sophisticated, well-financed Advanced Persistent Threats (APT) were using this capability in the post exploitation phase once infiltrated to the network, as well as read teams in their assessments. Now, it seems that there is a ‘trickle-down’ effect, where SSH capabilities are becoming part of “off-the-shelf” commodity malware.

In light of the scale of these campaigns and their distribution, what makes this “commoditization” so worrying is that when an attacker is able to backdoor or steal SSH keys for a high profile or high value target, they may monetize this access and sell it through dedicated channels back to nation state-affiliated APTs for further exploitation.

TrickBot is a prime example of this shift towards collaboration between crime gangs and APT (nation states) groups. Formerly a banking trojan, TrickBot has evolved into a universal module-based crimeware used for various criminal activities, such as personal and banking information theft, distribution and delivery of ransomware and cryptomining. SentinalOne research by Vitali Kremez showed ties between the Russian crime gang behind TrickBot and the North-Korean-sponsored APT group Lazarus. The report also explained that the TrickBot framework, dubbed “Anchor Project”, was sold as a service to the group for cyberespionage and monetization. This connection is unique since it shows collaboration between a Russian crime gang and a North-Korean nation state group.

How to protect against SSH abuse?

The best defence against SSH abuse in your organization is to ensure you have complete visibility and intelligence over every authorized SSH key in the enterprise, as well as out to the cloud. However, that is just the first step: attackers may not abuse only existing machine identities, they may also insert their own SSH machine identities into target environments. Therefore, it is critical that you focus not just the known keys, but on discovering and analysing all keys that are being used across your organization.

How much do you know about your organization’s SSH keys?

Related posts

• Recent SSH Vulnerability Highlights the Importance of Automated Key Management
• Identifying and Mitigating Security Risks of Pre-Shared Keys
• SSH Study: Who’s Auditing Your SSH Entitlements?