Common features of SSH malware:
code reuse
Many samples are modified open source tools.
obfuscation: stack strings, xor encryption, UPX, ADD/SUB, …
obfuscation may be used to prevent casual malware analysis
credential theft: log credentials entered into SSH clients or
servers to provide the attacker with additional access.
hooking of authentication and logging functions.
Common targets on OpenSSH clients
userauth_password, ssh_askpass, try_challenge_response_authentication, input_userauth_info_req, input_userauth_passwd_changereq
Common targets on OpenSSH servers
auth_password, sshpam_respond, sys_auth_passwd, sshpam_auth_passwd, server_listen
Common targets for log hooking
do_log, record_login, record_logout, auth_log, login_write, do_pam_session, sshpam_cleanup, sshpam_auth_passwd, log_faculty_number, debug, verbose, logit, error, ssh_userauth2
logging credentials to a local file
disadvantage: attacker must return to harvest credentials
advantage: easy to implement
use paths and filenames that blend in with the file system
use . prefix to hide files
sometimes the logs are encrypted
This is often done using simple or easy to implement algorithms.
Sometimes the logs are stored in plain text.
often, toolkits include decryption tools. these should be signatured as they indicate an attacker accessing stolen data
credential exfiltration
Not as common as simple local logging.
doesnt require the attacker to come back to collect a local log file.
may use common ports or protocols to blend in
may implement their own scheme to encrypt or encode data
rarely done using email and the ‘mail’ command
DNS used for exfiltration in Kessel malware
hard-coded credentials and c2 settings
malware may include hard-coded passwords, keys, IP addresses, c2 configuration, and other sensitive or revealing information.
writing config extractors is possible in many cases.
sometimes passwords are hashed using crypt() bcrypt() or MD5.
sometimes obfuscated, encoded, or encrypted to deter casual malware analysis.
override sshd settings
malware may override sshd settings such as PermitRootLogin or DenyUsers, allowing the attacker access regardless of the system’s configuration.
log tampering
may unset or reconfigure HISTFILE, HISTSIZE to avoid shell history logging
may hook logging-related functions to add code to avoid logging the attacker’s accesses.
toolkits may include or used in conjuction with third-party log wipers.
territorial
may check for and remove rival malware or avoid security products.