OpenSSH Trojan Campaign Targets IoT and Linux Systems

Written by

Security researchers have discovered a sophisticated attack campaign that exploits custom and open-source tools to target Linux-based systems and Internet of Things (IoT) devices.

According to a new blog post by Microsoft, the attackers utilized a patched version of OpenSSH to gain control of compromised devices and install cryptomining malware.

Read more on this type of malware: Satacom Malware Campaign Steals Crypto Via Stealthy Browser Extension

The attack campaign involves an established criminal infrastructure that uses a subdomain belonging to a Southeast Asian financial institution as a command and control (C2) server. 

The threat actors employed a backdoor that deployed various tools, including rootkits and an IRC bot, to steal device resources for cryptocurrency mining operations.

Additionally, the backdoor installed a modified version of OpenSSH, allowing the attackers to hijack SSH credentials, move laterally within networks and conceal malicious SSH connections.

As far as the attack chain is concerned, threat actors initiated it by brute-forcing credentials on misconfigured internet-facing Linux devices.

Once compromised, they downloaded and installed the malicious OpenSSH package, which granted them persistent access and the ability to intercept SSH credentials. The modified OpenSSH version mimicked a legitimate server, making detection more challenging.

Furthermore, the backdoor deploys open-source rootkits, such as Diamorphine and Reptile, to hide its presence on the compromised systems. 

It also established communication with a remote command and control server via an IRC bot called ZiggyStarTux. This enabled the threat actors to issue commands and launch distributed denial of service (DDoS) attacks.

In its advisory, Microsoft recommended several mitigation measures to protect devices and networks against this threat. 

These include ensuring secure configurations for internet-facing devices, maintaining up-to-date firmware and patches, using secure VPN services for remote access and adopting comprehensive IoT security solutions.

The Microsoft blog post comes weeks after the company announced a new integration of OpenAI technology into its services.

What’s hot on Infosecurity Magazine?