One of the deception campaigns I put in place for my clients is ssh credentials which lead to a decoy, and decoys which accept ssh login credentials. It helps when looking for malware such as this…:
[…] Some examples of successful malware campaigns that leveraged SSH machine identities from 2019:
- TrickBot: Originally a banking trojan that first appeared in 2016, TrickBot became a flexible, universal, module-based crimeware solution that has shifted focus to enterprise environments over the years.
TrickBot is offered as-a-service to criminals for various purposes and its modules are designed for the needs of a specific criminal activity.
It incorporates many features from network profiling, mass data collection, and incorporation of lateral traversal exploits.
Last year, TrickBot added credentials-grabbing capabilities for both PuTTY (SSH client for Microsoft) and OpenSSH.
In addition to targeting credentials, the malware is designed to look for Hostname and Username information for lateral movement.
- CryptoSink: This cryptomining campaign exploits a five-year-old vulnerability (CVE-2014-3120) in Elasticsearch systems on both Windows and Linux platforms to mine XMR cryptocurrency.
CryptoSink creates a backdoor to the targeted server by adding the attacker’s public key to the authorized key file on the victim’s machine.
- Linux Worm: This worm targets vulnerable Exim mail servers on Unix-link systems to deliver Monero cryptocurrency miners.
The worm creates a backdoor to the server by adding its own SSH public key and enabling the SSH server, if it is disabled.
- Skidmap: This is a Kernel-mode rootkit that gains backdoor access to a targeted machine by adding the attacker’s public SSH key to the authorized key file.
Skidmap uses exploits, misconfigurations, or exposure to the internet to gain root or administrative access to the system and drop cryptomining malware.