Threat Actors Use AWS SSM Agent as a Remote Access Trojan

Written by

Threat actors have been observed using Amazon Web Services (AWS) 's System Manager (SSM) agent as a Remote Access Trojan (RAT) on Linux and Windows machines. 

According to a new security report published by Mitiga today, the post-exploitation technique allows attackers to control the agent using a separate, maliciously owned AWS account, potentially enabling them to conduct various malicious activities.

AWS Systems Manager is a powerful tool designed to automate operational tasks and manage AWS resources. The SSM agent is a component that facilitates communication between the Systems Manager service and EC2 (Elastic Compute Cloud) instances or on-premises servers. 

Read more on AWS-focused attacks: Organizations Warned of New Attack Vector in Amazon Web Services

In its report, Mitiga researchers Ariel Szarf and Or Aspir said that the popularity and trust associated with the SSM agent had led attackers to misuse it for their benefit.

Since Amazon signs the SSM agent binary, it often bypasses traditional antivirus and endpoint detection systems, making it harder to detect malicious activities. 

Moreover, attackers can control the agent from their AWS accounts, making the communication appear legitimate, further evading detection.

Mitiga’s research demonstrated two potential attack scenarios. The first scenario involves hijacking the original SSM agent process and registering it with a different AWS account. The attackers then gain complete control over the compromised endpoint, with the agent functioning as a legitimate SSM agent. 

The second scenario involves running a separate SSM agent process, allowing the attacker to manipulate the endpoint while the original agent continues to function normally.

Mitiga has shared its research and findings with the AWS security team. They also offered recommendations for mitigating this threat, including reconsidering the SSM agent’s inclusion on allow lists in AV or EDR solutions and implementing detection techniques to identify instances of this threat proactively.

Editorial image credit: Tada Images /

What’s hot on Infosecurity Magazine?