Skip to main content
banner image
venafi logo

Growing Abuse of SSH Keys: Commodity Malware Campaigns Now Equipped with SSH Capabilities

Growing Abuse of SSH Keys: Commodity Malware Campaigns Now Equipped with SSH Capabilities

ssh commodity malware campaign
April 22, 2020 | Yana Blachman

A close look at the prominent malware campaigns in 2019 revealed that an increasing number of commodity malware integrated the misuse of SSH machine identities into their attacks. Campaigns such as cryptomining, spam, adware and banking trojans targeting Windows, Unix-like and MacOS are now equipped with SSH capabilities for credential theft, persistence and lateral movement.

In most cases, the malware added the attacker’s SSH key to the authorized_keys file on the victim’s machine, enabling the attacker to remain persistent on the device. In other cases, the malware was able to brute force weak SSH authentication on public-facing servers and gain access to the target, steal credentials and host information to laterally move across the network and infect further machines.



Some examples of successful malware campaigns that have leveraged SSH capabilities include:

  • TrickBot: Originally a banking trojan that first appeared in 2016, TrickBot has evolved into a universal crimeware solution that now primarily targets enterprise environments. TrickBot is offered as-a-service to criminals for various purposes and its modules are designed for the needs of a specific criminal activity. Last year, TrickBot added SSH key-grabbing capabilities for both PuTTY (SSH client for Microsoft) and OpenSSH. In addition to targeting keys, the malware is designed to look for Hostname and Username information for lateral movement.

  • CryptoSink: This cryptomining campaign exploits a five-year-old vulnerability (CVE-2014-3120) in Elasticsearch systems on both Windows and Linux platforms to mine XMR cryptocurrency. CryptoSink creates a backdoor to the targeted server by adding the attacker’s public key to the authorized_keys file on the victim’s machine.

  • Linux Worm: This worm targets vulnerable Exim mail servers on Unix-link systems to deliver Monero cryptominers. The worm creates a backdoor to the server by adding the attacker’s public key to the authorized_keys file and enabling the SSH server if it has been previously disabled.

  • Skidmap: This kernel-mode rootkit gains backdoor access to a targeted machine by adding the attacker’s public SSH key to the authorized_keys file. Skidmap uses exploits, misconfigurations, or exposure to the internet to gain root or administrative access to the system and drop cryptomining malware.

Other campaigns include Dota and Kerberods, and MacOS Bundlore.

Why is this important?

SSH machine identities are used to secure remote connections and automate processes and workloads within a network and in the cloud, giving privileged access to organizations’ most critical systems, including servers and databases. This makes them highly valuable to attackers.

But until recently, only the most sophisticated, well-financed Advanced Persistent Threats (APT) were using this capability in the post exploitation phase once infiltrated to the network, as well as read teams in their assessments. Now, it seems that there is a ‘trickle-down’ effect, where SSH capabilities are becoming part of “off-the-shelf” commodity malware.

In light of the scale of these campaigns and their distribution, what makes this “commoditization” so worrying is that when an attacker is able to backdoor or steal SSH keys for a high profile or high value target, they may monetize this access and sell it through dedicated channels back to nation state-affiliated APTs for further exploitation.


TrickBot is a prime example of this shift towards collaboration between crime gangs and APT (nation states) groups. Formerly a banking trojan, TrickBot has evolved into a universal module-based crimeware used for various criminal activities, such as personal and banking information theft, distribution and delivery of ransomware and cryptomining. SentinalOne research by Vitali Kremez showed ties between the Russian crime gang behind TrickBot and the North-Korean-sponsored APT group Lazarus. The report also explained that the TrickBot framework, dubbed “Anchor Project”, was sold as a service to the group for cyberespionage and monetization. This connection is unique since it shows collaboration between a Russian crime gang and a North-Korean nation state group.

How to protect against SSH abuse?

The best defence against SSH abuse in your organization is to ensure you have complete visibility and intelligence over every authorized SSH key in the enterprise, as well as out to the cloud. However, that is just the first step: attackers may not abuse only existing machine identities, they may also insert their own SSH machine identities into target environments. Therefore, it is critical that you focus not just the known keys, but on discovering and analysing all keys that are being used across your organization.

How much do you know about your organization’s SSH keys?







Related posts



Like this blog? We think you will love this.
Featured Blog

Using SSH Certificates Instead of SSH Keys

But many organizations are still unsure about the benefits of switching from SSH keys

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Yana Blachman
Yana Blachman

Yana is Threat Intelligence Specialist at Venafi and has worked in the field over the last 7 years. Yana’s expertise includes tactical and operational threat analysis, threat hunting, and Dark Web intelligence.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more