malwaresshkeystospread-ssh2025

2025-11-01

Malware & Hackers Collect SSH Keys to Spread Attack

SSH.com

Unknown date 2025

https://www.ssh.com/academy/malware

Notes
SSH key
SSH
SSH malware
hackers have been abusing SSH keys since their inception
backdoor
lateral movement
provide access to important systems
penetration tester
Sony breach https://www.forbes.com/sites/thomasbrewster/2014/12/03/sony-playstation-serving-hacked-data/
Careto is the first https://en.wikipedia.org/wiki/Careto_(malware)
https://web.archive.org/web/20140221140933/http://www.kaspersky.com/about/news/virus/2014/Kaspersky-Lab-Uncovers-The-Mask-One-of-the-Most-Advanced-Global-Cyber-espionage-Operations-to-Date-Due-to-the-Complexity-of-the-Toolset-Used-by-the-Attackers
https://web.archive.org/web/20140225072140/http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf
https://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/
Rakos malware
https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/
SSHBearDoor – backdoored dropbear sshd with hard-coded password and ssh key
BlackEnergy
https://threatpost.com/new-mask-apt-campaign-called-most-sophisticated-yet/104148
https://it.slashdot.org/story/14/03/18/2218237/malware-attack-infected-25000-linuxunix-servers
Windigo
https://www.securityweek.com/ddos-malware-linux-distributed-ssh-brute-force-attacks/
XORDDOS
https://blog.malwaremustdie.org/2015/12/mmd-0047-2015-sshv-ssh-bruter-elf.html
eCrime
nation state
targeted attacks
used to send files and backups
private keys
foothold
root user
privilege escalation
BIOS https://www.wired.com/2015/03/researchers-uncover-way-hack-bios-undermine-secure-operating-systems/
firmware https://blog.kaspersky.com/equation-hdd-malware/7623
virtualized rootkit – BluePill https://www.zdnet.com/article/blue-pill-the-first-effective-hypervisor-rootkit/
wiper
access to database, email, web services even if not root
Cobalt Strike supports SSH
SSH key sold for 50 Bitcoin
“A known fact is that certain government sites receive constant attacks where various SSH keys are tried against them. The attackers are trying to pick the lock with keys they have acquired.”
evading firewalls
tunneling
port forwarding
NIST IR 7966 best practices SSH keys https://www.ssh.com/academy/compliance/nist-7966
https://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.7966.pdf

Links to this note

Notes

malwaresshkeystospread-ssh2025

2025-11-01

Links to this note

Recent Posts

Linux Persistence: Modular Software

2025-04-17 DFIR CTF persistence linux persistence apache asterisk

Linux Persistence: Web Shells

2025-04-16 DFIR persistence webshell linux persistence webshell apache nginx PHP

Linux Persistence: Rootkits

2025-04-15 DFIR persistence rootkit LKM linux persistence LKM rootkit LD_PRELOAD kprobe ftrace ld.so hooking

Linux Persistence: Processes

2025-04-11 DFIR persistence processes linux persistence processes

Defanging Linux LKM Rootkits With cleanup_module()

2025-04-05 Linux LKM rootkits EDR hooks incident response Linux LKM rootkit