In sshbackdors-dumont2018, it was mentioned that most of the OpenSSH backdoor samples they observed in this report shared the same rough feature set:
-
Hooking functions within the ssh client and/or sshd server to harvest credentials
-
Using basic encryption or encoding algorithms to store stolen credentials in a file on the local disk.
-
Exfiltration functionality over the network
-
String obfuscation with xor and stack strings
-
Hard-coded passwords or keys to maintain persistence
-
Anti-analysis functionality to avoid logging or to wipe data related to the attacker from logs