in sshbackdors-dumont2018, it was mentioned that most of the OpenSSH backdoor samples they observed in this report shared the same rough feature set:
-
hooking functions within the ssh client and/or sshd server to harvest credentials
-
basic encryption/encoding algorithms to store stolen credentials on file on the local disk.
-
exfiltration functionality over the network
-
string obfuscation with xor and stack strings
-
hard-coded passwords or keys to maintain persistence
-
anti-analysis functionality to avoid logging or to wipe data related to the attacker from logs