Trojan horse

OpenSSH trojan campaign targets Linux systems and IoT devices

Poorly configured Linux and Internet of Things (IoT) devices are at risk of compromise from a cryptojacking campaign, according to researchers at Microsoft. The attacks, which involve brute forcing a way into a system, are designed to profit from mining in illicit fashion for cryptocurrency.

Once the attackers have broken into their target system, a patched version of OpenSHH, a remote login tool, is downloaded from a remote server. When the rogue version of this tool is deployed, it looks to backdoor hijacked systems and swipe credentials to ensure it lingers on the system for as long as it possibly can.

As Microsoft explains:

Utilizing an established criminal infrastructure that has incorporated the use of a Southeast Asian financial institution’s subdomain as a command and control (C2) server, the threat actors behind the attack use a backdoor that deploys a wide array of tools and components such as rootkits and an IRC bot to steal device resources for mining operations. The backdoor also installs a patched version of OpenSSH on affected devices, allowing threat actors to hijack SSH credentials, move laterally within the network, and conceal malicious SSH connections. The complexity and scope of this attack are indicative of the efforts attackers make to evade detection.

A backdoor on the system checks to see if the hijacked device is a honeypot—a fake system set up by researchers or someone else to make an attacker think that they’ve compromised a genuine system when in reality everything the attacker does is being logged.

If it determines the system is a honeypot, it exits. If it determines that the system is the real thing, it begins a process of data exfiltration to a chosen email address. The data that is taken includes:

  • Operating system version
  • Network configuration
  • The contents of /etc/passwd and /etc/shadow

Open source rootkits are installed in systems which support them, used to further hide malicious files and processes taking place under the hood. Activity records are removed from various places on the system to mask any malicious presence, and additional tools are installed to clean up other logs which could reveal evidence of sign-ins.

Years ago you’d occasionally see adware programs try to remove rivals from a PC, in order to take all of the ad revenue for its creator. Here, we have something similar happening with the cryptomining tools being used in this attack. It identifies mining processes by name and/or files, and then terminates the processes or blocks them outright. As a general point of order here, you don’t really want lots of rival programs fighting it out in your systems. It could easily lead to unstable performance. Even worse if the programs doing the fighting aren’t supposed to be there in the first place. They won’t be playing by any theoretical rules, and so you simply can’t predict what they’ll do to gain the upper hand.

Meanwhile, the patched version of OpenSSH is designed to look like the legitimate version and so may prove hard to detect. That’s not all, however. There’s botnet activity too. A portion of the install makes use of an open-source IRC bot with Distributed Denial of Service (DDoS) features.

Microsoft claims to have traced this particular campaign to a member of a hacking forum who offers several tools for sale in what may be a dedicated malware as a service operation. The operating system giant has some specific advice for those who may be worried about this attack impacting their business:

  • Harden internet-facing devices against attacks
  • Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access.
  • Maintain device health with updates: Make sure devices are up to date with the latest firmware and patches.
  • Use least-privileges access: Use a secure virtual private network (VPN) service for remote access and restrict remote access to the device.
  • When possible, update OpenSSH to the latest version.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.



Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.