ESET recently released a report listing 21 in-the-wild OpenSSH malware families reportedly targeting the portable OpenSSH used in Linux OS, out of which 12 appears to have not been documented before.
This report comes as a follow up of the ESET 2014 research “Operation Windigo”, originally focusing on Linux server-side credential stealing malware campaign with the Ebury OpenSSH backdoor at its core. The ESET group then went on to analyze other OpenSSH backdoors that were detected during the operation “Windigo” and mostly unknown to the broader security community. They were able to do so by employing the Windigo Perl script with signatures aimed at 40 different backdoors. In brief, with this script the attackers originally attempted to detect other OpenSSH backdoors before deploying the Ebury, researchers said.
Among the observed malware samples, some were found to present similarities and shared techniques and were all the result of a few critical functions’ modifications. If none of them used complex obfuscating methods, most of them log the passwords supplied by the users and almost all of them exfiltrate the data by copying the credentials to a local file. Additionally, 9 out of 21 of the backdoor families also pushed the data to a C2 server using common network ports such as port 80 (HTTP), 443 (HTTPS) and 1194 (OpenVPN), usually left open on network firewalls. Rare cases also presented data exfiltration by email.
The raw data of the research did not provide information on the infection vector used in the initial compromise. However, they shed some light on how they extended their reach. All backdoors in fact embedded the credential-stealing functionality and could spread exploiting such stolen credentials. Among the more sophisticated samples that were examined, some of the other most interesting features were the ability to receive commands through the SSH password (the Chandrila backdoor); the implementation of a crypto-mining extension (the Bonadan backdoor); and a bot functionality (the Kessel backdoor). The ESET report includes a detailed feature grid for each analyzed OpenSSH backdoor family.
Proficio Threat Intelligence Recommendations:
- Since brute-force could be used in gaining access through SSH password authentication, consider utilizing long and complex passphrases; enabling key-based authentications; disabling remote root login, and using multi-factor authentication via the PAM (Pluggable Authentication Module).
- Consider blocking IP addresses attempting brute force attacks by using, for example, the Fail2ban software.
- Update IDS/IPS to take appropriate actions when triggering on the IOCs listed in the ESET report.
ESET Report – Click Here