While investigating the breach of a large internet hosting provider, researchers discovered a Linux backdoor capable of stealing login credentials from secure shell (SSH) connections.

Symantec researchers detected in June that the trojan, dubbed “Fokirtor,” was on the unnamed company's network. The May breach exposed the login credentials of customers, according to a Wednesday blog post by the security firm.

While passwords were hashed and salted by the company, Symantec revealed that by leveraging Fokirtor attackers could have accessed the encryption key that secured the organizations' internal communications.

The Fokirtor trojan targets users running the Linux operating system, an open source platform that is generally known to dispatch speedier patches given its community of tech-savvy users.  

“This backdoor allowed an attacker to perform the usual functionality – such as executing remote commands – however, the backdoor did not open a network socket or attempt to connect to a command-and-control server,” the blog post said, later adding that the trojan, instead, injected itself into the organization's SSH process to extract encrypted commands.

Fokirtor could ultimately allow an attacker to execute commands of their choosing and even collect data from individual SSH connections, like the connecting hostname, IP address, port and SSH key used to authenticate users.

On Friday, Satnam Narang, a researcher on the Symantec Security Response team, told SCMagazine.com via email that the attackers realized they would need the “sophisticated” trojan to conceal their access to the target's network.

“The attackers understood that the target environment was well protected, so they needed to find a means to avoid a potential security review in order to remain hidden,” Narang wrote. “Therefore, they crafted this stealthy backdoor to camouflage itself within the secure shell (SSH) and other processes."