In Focus: Backdoor Malware Targeting SSH Keys

A backdoor malware that targeted SSH keys previously used by the most sophisticated and well-financed threat groups has trickled down to ordinary cybercriminals as this malware is now being sold to anyone with access to the dark web, a new report showed.

“SSH keys can be potent weapons in the wrong hands,” Yana Blachman, threat intelligence specialist at Venafi, told Infosecurity. “But until recently, only the most sophisticated, well-financed hacking groups had this kind of capability. Now, we’re seeing a ‘trickle-down’ effect, where SSH capabilities are becoming commoditized.”

What Is SSH?

SSH, which stands for Secure Shell, is a protocol used to secure remote login from one computer to another. The SSH protocol is used for many applications across many platforms, including Linux, Apple’s macOS and Microsoft Windows.

SSH key, meanwhile, refers to the credential – similar to that of username and password – in accessing the SSH protocol. Unlike usernames and passwords, SSH keys can be used for implementing single sign-on by system administrators.

Many organizations, through the years, have accumulated SSH keys as these keys never expire. These keys grant users access to the organizations’ servers, including file transfers and updating configurations. Without any controls, unaccounted SSH keys could pose a security risk in the entire organization. 

SSH Backdoor

In 2016, security researchers at ESET discovered that the BlackEnergy threat group added SSH backdoor to its attack arsenal. BlackEnergy is a threat group known since 2014 for using sophisticated techniques in attacking the energy sector. The cyber-attacks in December 2015 on Ukraine’s energy companies were attributed to the BlackEnergy threat group.

According to the ESET researchers, they found in one of the servers compromised by the BlackEnergy threat group an application that, at first glance, appeared to be Dropbear SSH, a legitimate software developed by Matt Johnston that implements SSH protocol. Johnston described the Dropbear SSH as “a relatively small SSH server and client” that runs on a variety of POSIX-based platforms.

The malicious version of Dropbear SSH that the BlackEnergy threat group used in compromising one of its victim’s servers, the researchers said “will authenticate the user if the password passDs5Bu9Te7 was entered”. The same situation applies, the researchers said, to authentication “by key pair – the server contains a pre-defined constant public key and it allows authentication only if a particular private key is used”. 

According to the researchers, the BlackEnergy threat group used the SSH backdoor as a tool to regain access to the server, in case that the BlackEnergy malware was discovered and deleted. “By running SSH on the server in a compromised network, attackers can come back to the network whenever they want,” ESET researchers said.

In March 2019, researchers at F5 Labs reported that the CryptoSink malware used its victims’ servers to illicitly mine the cryptocurrency Monero, and also backdoored the servers by adding the attacker’s SSH key. In the CryptoSink campaign, the F5 Lab researchers said the threat actor’s public SSH key was added to the authorized_keys file on the victim machine, allowing the threat actor to directly connect to the machine using the SSH protocol.

In November 2019, researchers at Palo Alto Networks reported that the threat group behind Trickbot, a malware known for stealing system information, login credentials, and other sensitive data from vulnerable Windows computers, added a new feature: stealing SSH keys. According to the researchers, the old password grabber feature of Trickbot had been modified to steal SSH keys, specifically in Trickbot-infected system with PuTTY – a network file transfer application – installed and configured to use a private key for an SSH connection to a cloud server.

Preventive and Mitigating Measures In Securing SSH Keys

Here are some of the preventive and mitigating measures in securing SSH keys:

  1. Timely Patch All Software

In the case of the Trickbot malware, the typical initial entry point of the group behind this malware is via unpatched Windows operating systems. In the case of the CryptoSink malware, the initial entry point of the group behind this malware is by exploiting the security vulnerability CVE-2014-3120, a security vulnerability in Elasticsearch systems running on both Windows and Linux platforms that allows remote attackers to execute malicious code.

In the case of the BlackEnergy threat group, researchers at ESET said that one of the initial entry points used by this threat group is by exploiting CVE-2014-4114, a security vulnerability in Windows operating systems that allows remote attackers to execute arbitrary code via a crafted OLE object in an Office document.

It’s, therefore, important to apply in a timely manner security updates, also known as patches, to prevent cybercriminals in stealing SSH keys or planting their own SSH keys.

  1. Regularly Audit SSH Keys

As shown in the above examples, threat actors, not only steal SSH keys, they also insert their own SSH keys on servers in compromised networks. By doing so, they can easily enter and exit as they wish. It’s, therefore, important to regularly audit existing SSH keys in order to discover and eliminate malicious SSH keys.

  1. Regularly Change SSH Keys

Regularly changing the SSH keys is effective in preventing threat actors to simply come and go as they want on the servers in compromised networks.

For many organizations technical tasks and threat mitigation methods require a specialized skillset. While inhouse IT resources work hard to keep the lights on, our experts can help you mitigate backdoor malware threats and perform the necessary SSH key audits significantly minimizing the risks.

Contact us today to schedule a free assessment at (416) 920-3000 or email

Protecting your organization has never been easier.

Leave a Reply

Your email address will not be published. Required fields are marked *