{ "id": "662185be-b885-4626-b448-db55bb6dfc2c", "created_at": "2026-04-06T00:14:25.755175Z", "updated_at": "2026-04-10T03:34:57.316415Z", "deleted_at": null, "sha1_hash": "ee5e97c5df0c5685ba8463e8c76ab25382868e29", "title": "The Dark Side of the ForSSHe", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 452710, "plain_text": "The Dark Side of the ForSSHe\r\nBy Marc-Etienne M.Léveillé\r\nArchived: 2026-04-05 16:45:41 UTC\r\nESET Research\r\nESET researchers discovered a set of previously undocumented Linux malware families based on OpenSSH. In\r\nthe white paper, “The Dark Side of the ForSSHe”, they release analysis of 21 malware families to improve the\r\nprevention, detection and remediation of such threats\r\n05 Dec 2018  •  , 7 min. read\r\nSSH, short for Secure SHell, is a network protocol to connect computers and devices remotely over an encrypted\r\nnetwork link. It is generally used to manage Linux servers using a text-mode console. SSH is the most common\r\nway for system administrators to manage virtual, cloud, or dedicated, rented Linux servers.\r\nThe de facto implementation, bundled in almost all Linux distributions, is the portable version of OpenSSH. A\r\npopular method used by attackers to maintain persistence on compromised Linux servers is to backdoor the\r\nOpenSSH server and client already installed. There are several reasons why creating malware based on OpenSSH\r\nis popular:\r\nIt doesn’t require a new TCP port to be opened on the compromised machine. SSH should already be there\r\nand likely reachable from the internet.\r\nhttps://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/\r\nPage 1 of 6\n\nThe OpenSSH daemon and client see passwords in clear text, providing the attacker the potential to steal\r\ncredentials.\r\nOpenSSH source code is freely available, making it easy to create a \"customized\" (backdoored) version.\r\nOpenSSH is built to make it difficult to implement a man-in-the-middle attack and snoop on its users’\r\nactivity. Attackers can leverage this to stay under the radar while they conduct their malicious activities on\r\nthe compromised server.\r\nTo better combat Linux malware threats, ESET researchers went on the hunt for in-the-wild OpenSSH backdoors,\r\nboth known and unknown. We started our investigation on knowledge gleaned from one of our previous research\r\nefforts, Operation Windigo. In that white paper, we described in detail Windigo’s multiple malware components\r\nand how they work together. At its core was Ebury, an OpenSSH backdoor and credential stealer that was installed\r\non tens of thousands of compromised Linux servers worldwide.\r\nSomething that wasn’t originally discussed in the Operation Windigo paper, but that ESET researchers have talked\r\nabout at conferences, is how those attackers try to detect other OpenSSH backdoors prior to deploying their own\r\n(Ebury). They use a Perl script they have developed that contains more than 40 signatures for different backdoors.\r\n@sd = gs( 'IN: %s@ \\(%s\\) ', '-B 2' );\r\n@sc = gc( 'OUT=\u003e %s@%s \\(%s\\)', '-B 1' );\r\nif ( $sd[1] =~ m|^/| or $sc[0] =~ m|^/| ) {\r\n print\r\n \"mod_sshd29: '$sd[0]':'$sd[1]':'$sd[2]'\\nmod_sshc29: '$sc[0]':'$sc[1]'\\n\";\r\n ssh_ls( $sd[1], $sc[0] );\r\n}\r\nExample signature found in Windigo Perl script to detect OpenSSH backdoor (tidied output)\r\nWhen we looked into these signatures, we quickly realized that we did not have samples matching most of the\r\nbackdoors described in the script. The malware operators actually had more knowledge and visibility into in-the-wild SSH backdoors than we did. To cope with this situation, we started hunting for the missing malware samples\r\nusing their signatures. This helped us to find samples previously unknown to the computer security industry and to\r\nreport detailed research findings.\r\nToday, ESET researchers are publishing a paper focused on 21 in-the-wild OpenSSH malware families. While\r\nsome of these backdoors have already been analyzed and documented online, no analysis of most of them was\r\navailable until now. The intent of this paper is to provide an overview of the current OpenSSH backdoor\r\nlandscape. It is the result of a long-term research project involving writing rules and detections, deploying custom\r\nhoneypots, classification of samples, and analysis of the different malware families.\r\nUnveiling the dark side\r\nSoon after the Windigo research, we translated the signatures from the aforementioned Perl script into YARA rules\r\n(now available on GitHub) and used them to find likely new malware samples from our various feeds. We\r\ncollected new samples for more than three years and, after filtering out false positives, obtained a few hundred\r\nhttps://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/\r\nPage 2 of 6\n\ntrojanized OpenSSH binaries. The analysis of this collection highlights the use of a set of common features across\r\nthe different backdoors. Two of them really stand out:\r\n18 out of the 21 families feature a credential-stealing feature, making it possible to steal passwords and/or\r\nkeys used by the trojanized OpenSSH client and server.\r\n17 out of the 21 families feature a backdoor mode, allowing the attacker a stealthy and persistent way to\r\nconnect back to the compromised machine.\r\nMore details about the common features of these OpenSSH backdoors are provided in the white paper.\r\nIn parallel with the analysis of the collected samples, we set up a custom honeypot architecture (detailed in-depth\r\nin the white paper) to extend our results. The idea was to provide (i.e. intentionally leak) credentials to the\r\nattackers using exfiltration techniques reverse-engineered from the samples. This would allow us to observe the\r\nbehavior of the attackers once they compromise a server, and hopefully get the most recent samples.\r\nCombining our passive hunting with the YARA ruleset and the interaction of attackers with our honeypot gives us\r\ninsight into both how active the attackers are and what their skillsets are.\r\nhttps://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/\r\nPage 3 of 6\n\nThis graphic sums up the OpenSSH backdoor families from this research. Some of our readers will surely have\r\nrecognized these names as corresponding to planets from the Star Wars saga. Note that they do not correspond to\r\nESET’s detection names; it is just a convenient way to identify them in our research. Their detection names and\r\nvarious IoC data are provided in the white paper and on our GitHub IoC repository.\r\nEvaluating complexity for a family could be subjective. We have tried to be as objective as possible and base our\r\nclassification on several factors, including:\r\nThe presence of an exfiltration technique – presence of C\u0026C server, network protocol, encryption in\r\ntransport or storage, etc.\r\nThe implementation of modules providing features additional to OpenSSH – additional commands,\r\ncryptocurrency mining, etc.\r\nThe use of encryption or obfuscation to make analysis more difficult.\r\nhttps://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/\r\nPage 4 of 6\n\nEach family has its own complete description in the full report, but the galaxy representation still gives some\r\ntakeaways:\r\nAccording to our sample set, code complexity is increasingly important for the most recent families.\r\nWe collected more samples for the older and simpler (often off-the-shelf) families. This can be explained\r\nby the fact that more sophisticated ones are more difficult to detect and less prevalent.\r\nVisiting some interesting planets\r\nSome of the backdoors we found aren’t particularly new or interesting from a technical point-of-view. There are,\r\nhowever, quite a few exceptions showing that some attackers are putting a lot of effort into maintaining their\r\nbotnets.\r\nOne of these is Kessel. Kessel stands out for its multiple methods of communicating with its C\u0026C server. It\r\nimplements HTTP, raw TCP and DNS. Besides asking for stolen credentials, the C\u0026C server also has the ability to\r\nsend additional commands such as downloading from or uploading files to the compromised machine. All\r\ncommunication with its C\u0026C server is also encrypted. It is also quite new: the C\u0026C server domain was registered\r\nin August 2018.\r\nKessel DNS exfiltration\r\nAnother such example is Kamino. From analysis of the samples, we discovered this threat has existed for a long\r\ntime and evolved, both in its obfuscation techniques and usage. It was first used by a crimeware campaign known\r\nto leverage the DarkLeech malware to redirect traffic, as documented by ESET researchers in 2013. Interestingly,\r\nit is the same backdoor that was used on attacks against Russian banks by a group called Carbanak years later, as\r\ndescribed by Group-IB. This shift from crimeware to more targeted attacks is intriguing. It is tempting to think\r\nboth attacks are from the same group, but it could also be explained by the original authors selling their code to\r\nmultiple crime groups.\r\nhttps://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/\r\nPage 5 of 6\n\nDetailed analyses of Chandrila (passing data in passwords) and Bonadan (cryptocurrency mining features) are also\r\nprovided in the white paper.\r\nMitigation and detection\r\nSince the data we analyzed were mostly malware samples taken out of their context, it is difficult to identify their\r\noriginal infection vectors. Techniques could include: using credentials stolen after a victim used a compromised\r\nSSH client, brute force or exploitation of a vulnerable service exposed by the server.\r\nAny of the mentioned attack vectors might be used in future attacks, thus all good practices aimed at preventing a\r\nsystem from being compromised should be followed:\r\nKeep the system up-to-date.\r\nFavor key-based authentication for SSH.\r\nDisable remote root login.\r\nUse a multi-factor authentication solution for SSH.\r\nESET products detect the analyzed OpenSSH backdoors as Linux/SSHDoor variants. Additionally, the YARA\r\nruleset we used can help to classify the potential samples. The paper gives more details about validating OpenSSH\r\nfiles using Linux package managers to verify the integrity of installed executables.\r\nConclusion\r\nWith this research, we hope to shed light on OpenSSH backdoors and, by extension, on Linux malware in general.\r\nAs observed through the diversity of code complexity, some attackers simply reuse available source code, while\r\nothers put real effort into their bespoke implementations. Moreover, the active hunt via our custom honeypot\r\nstructure shows that some attackers are still active and are very cautious when deploying their backdoors.\r\nAfter reading the paper you may feel that there is more Linux malware now than before; that this is a rising trend.\r\nWe don’t think this is necessarily the case: there has always been Linux malware but due to a lack of visibility it\r\nstays under the radar for a longer period.\r\nThere are still a lot of unanswered questions: how prevalent is each of these families? How are compromised\r\nsystems used by the attackers? Besides stealing credentials, do they use additional techniques to propagate?\r\nESET researchers believe that system administrators and malware researchers can help each other in the fight\r\nagainst server-side malware. Feel free to reach us at threatintel@eset.com if you have additional details about the\r\nbackdoors we have described (or have not described) or if you have any questions.\r\nSource: https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/\r\nhttps://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/" ], "report_names": [ "dark-side-of-the-forsshe" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "1934b371-2525-4615-a90a-772182bc4184", "created_at": "2022-10-25T15:50:23.396576Z", "updated_at": "2026-04-10T02:00:05.341979Z", "deleted_at": null, "main_name": "Windigo", "aliases": [ "Windigo" ], "source_name": "MITRE:Windigo", "tools": [ "Ebury" ], "source_id": "MITRE", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "3844202f-b24a-4e16-b7b9-dfe8c0a44d5d", "created_at": "2022-10-25T16:07:24.526179Z", "updated_at": "2026-04-10T02:00:05.023222Z", "deleted_at": null, "main_name": "Operation Windigo", "aliases": [ "G0124" ], "source_name": "ETDA:Operation Windigo", "tools": [ "CDorked", "CDorked.A", "Calfbot", "Ebury" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434465, "ts_updated_at": 1775792097, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ee5e97c5df0c5685ba8463e8c76ab25382868e29.pdf", "text": "https://archive.orkl.eu/ee5e97c5df0c5685ba8463e8c76ab25382868e29.txt", "img": "https://archive.orkl.eu/ee5e97c5df0c5685ba8463e8c76ab25382868e29.jpg" } }