ESET researchers examined the inner workings of 21 different Linux malware families all operating as trojanized versions of the OpenSHH client.
Researchers noted 12 of the malwares were previously undocumented, 18 had credential-stealing features and 17 featured a backdoor mode, according to the company’s “The Dark Side Of The FORSSHE: A landscape of OpenSSH backdoors” report.
In addition, researchers discovered that an SSH backdoor used by DarkLeech operators is the same as that used by Carbanak a few years later and that threat actors had developed a wide spectrum of complexity in backdoor implementations, starting from off-the-shelf malware to obfuscated samples and network protocols.
The report also noted the malwares were the result of modifying and recompiling the original portable OpenSSH source used on Linux.
“In terms of telemetry, Linux malware suffers from limited visibility compared to other platforms,” researchers said in the report. “We hope this research helps clarify the state of in-the-wild OpenSSH backdoors and raises the right questions when securing Linux systems.”