CyberSecurity news
@hivepro.com
//
A new malware campaign is actively exploiting the PuTTY SSH client and the built-in OpenSSH in Windows systems to establish backdoors on compromised machines. This sophisticated attack leverages the popularity and trust associated with these legitimate tools, transforming them into weapons for malicious purposes. Categorized as a "Living Off the Land Binary" (LOLBIN) tactic, this approach allows attackers to evade detection by traditional security software, maintaining unauthorized remote access and control over infected systems. This can lead to data theft, system compromise, and further malware propagation within the network.
The attack campaign, tracked by HivePro, involves the deployment of trojanized versions of PuTTY, a widely used free SSH client, and the abuse of the OpenSSH client integrated into Windows 10 since version 1803. Attackers are using a multi-stage approach, including registry manipulation and the creation of malicious SSH configuration files, to establish persistent communication with their command-and-control infrastructure. A recent malware sample, disguised as "dllhost.exe," exemplifies this strategy, attempting to start the "SSHService" and, if unsuccessful, manipulating registry keys to store randomly chosen ports for future connections.
Security experts emphasize the importance of vigilance and caution among system administrators. It is crucial to ensure the use of genuine versions of PuTTY and to monitor SSH traffic for any suspicious activity. The integration of OpenSSH into Windows, while beneficial for system administrators, has inadvertently expanded the attack surface, providing malicious actors with new opportunities to abuse legitimate functionality. By understanding the tactics and techniques employed in this campaign, organizations can better protect themselves against this evolving threat.
References :
- hivepro.com: HivePro Threat Advisory on UNC4034 Backdoor
- www.redhotcyber.com: Quando gli hacker entrano dalla porta di servizio! PuTTY e SSH abusati per accedere alle reti
- cyberpress.org: Hackers Exploit Free SSH Client PuTTY to Deploy Malware on Windows Systems
- gbhackers.com: Hackers Weaponize Free SSH Client PuTTY to Deliver Malware on Windows
Classification:
- HashTags: #Cybersecurity #Malware #SSH
- Company: HivePro
- Target: Windows Users
- Attacker: UNC4034
- Product: PuTTY
- Feature: LOLBIN
- Malware: Trojanized PuTTY
- Type: Malware
- Severity: Major